Windows Analysis Report cX0XLcXbVY

AV Detection:

Found malware configuration

Source: 13.2.plcd-player.exe.33c94a0.2.raw.unpack

Malware Configuration Extractor: Ursnif {"RSA Public Key": "GP2bItvzCMVimwFhSq2LMu3Hl69+F5VOC4HbUzLcgCFvHPQPwYycui0JiyqQuwt1jV1IDboN9TEBxLB8CQWBGqcjZkZnRvT4fL8wjq8CCeHOLprVhSXFIxyR2QXzTHDcHr2ux9/r22BaiLqlqlqcKQ1PI6I3WFn39M0K5k1WypMPthcpEVFSO8sVBHvcqRSV", "c2_domain": ["get.updates.avast.cn", "huyasos.in", "curves.ws", "huyasos.in", "rorobrun.in", "huyasos.in", "tfslld.ws", "huyasos.in"], "botnet": "2002", "server": "12", "serpent_key": "44004499FJFHGTYB", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Multi AV Scanner detection for submitted file

Source: cX0XLcXbVY.exe	Virustotal: Detection: 47%			Perma Link
Source: cX0XLcXbVY.exe	Metadefender: Detection: 22%			Perma Link
Source: cX0XLcXbVY.exe	ReversingLabs: Detection: 37%

Antivirus / Scanner detection for submitted sample

Source: cX0XLcXbVY.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\lcms-5.0.dll	Avira: detection malicious, Label: TR/Redcap.chbhs
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\plcd-player.exe	Avira: detection malicious, Label: TR/Agent.kkknq

Antivirus or Machine Learning detection for unpacked file

Source: 13.2.plcd-player.exe.1000000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen8
Source: 0.3.cX0XLcXbVY.exe.3083600.1.unpack	Avira: Label: TR/Patched.Ren.Gen

Compliance:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe

Unpacked PE file: 13.2.plcd-player.exe.1000000.0.unpack

Uses 32bit PE files

Source: cX0XLcXbVY.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE

Creates license or readme file

Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\CrashRpt License.txt			Jump to behavior
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\License.txt			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\License.txt			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\CrashRpt License.txt			Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: cX0XLcXbVY.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: c:\Data\SkyDrive\Programming\Projects\Delimon\Delimon.Win32.IO 2013\Win32FileLibrary\obj\Release\Delimon.Win32.IO.pdb source: cX0XLcXbVY.exe, 00000000.00000003.395705306.0000000004F26000.00000004.00000001.sdmp, Delimon.Win32.IO.dll.0.dr
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: cX0XLcXbVY.exe, decoder.dll.0.dr
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb2 source: cX0XLcXbVY.exe, decoder.dll.0.dr
Source:	Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\ssleay32.pdb @ source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, ssleay32.dll.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: cX0XLcXbVY.exe, 00000000.00000003.350311744.0000000003050000.00000004.00000001.sdmp, MSI7F13.tmp.0.dr, 6d1078.msi.4.dr
Source:	Binary string: E:\JenkinsWorkspaces\v3-trebuchet-release\AWSDotNetPublic\sdk\src\Services\SimpleDB\obj\net35\Release\net35\AWSSDK.SimpleDB.pdbp source: cX0XLcXbVY.exe, 00000000.00000003.395705306.0000000004F26000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb] source: cX0XLcXbVY.exe, 00000000.00000003.350311744.0000000003050000.00000004.00000001.sdmp, MSI7F13.tmp.0.dr, 6d1078.msi.4.dr
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdbk source: cX0XLcXbVY.exe
Source:	Binary string: D:\a\1\s\artifacts\obj\Microsoft.Azure.KeyVault.Core\Release\net452\Microsoft.Azure.KeyVault.Core.pdb source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: cX0XLcXbVY.exe, 00000000.00000003.350311744.0000000003050000.00000004.00000001.sdmp, 6d1078.msi.4.dr
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: cX0XLcXbVY.exe
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdb source: cX0XLcXbVY.exe, 00000000.00000003.350466893.00000000031B3000.00000004.00000001.sdmp, 6d1078.msi.4.dr
Source:	Binary string: C:\Users\User\AppData\Local\Temp\icu_32\lib\icuio.pdb source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdbi source: cX0XLcXbVY.exe, 00000000.00000003.350466893.00000000031B3000.00000004.00000001.sdmp, 6d1078.msi.4.dr
Source:	Binary string: E:\JenkinsWorkspaces\v3-trebuchet-release\AWSDotNetPublic\sdk\src\Services\SimpleDB\obj\net35\Release\net35\AWSSDK.SimpleDB.pdb source: cX0XLcXbVY.exe, 00000000.00000003.395705306.0000000004F26000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.dr
Source:	Binary string: C:\Users\User\AppData\Local\Temp\icu_32\lib\icuio.pdb"" source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp
Source:	Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\ssleay32.pdb source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, ssleay32.dll.0.dr
Source:	Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\libeay32.pdb0k source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp
Source:	Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\libeay32.pdb source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp
Source:	Binary string: c:\b\4741\2125\src\intermediate\System.Threading.Tasks.v2.5.csproj_75e1c727\Release\System.Threading.Tasks.pdb source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\s\artifacts\obj\Microsoft.Azure.KeyVault.Core\Release\net452\Microsoft.Azure.KeyVault.Core.pdbSHA256 source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbj source: cX0XLcXbVY.exe, 00000000.00000003.350311744.0000000003050000.00000004.00000001.sdmp, 6d1078.msi.4.dr
Source:	Binary string: d:\projects\SslCertBinding.Net\src\SslCertBinding.Net\obj\Release\SslCertBinding.Net.pdb source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: cX0XLcXbVY.exe, 00000000.00000003.350311744.0000000003050000.00000004.00000001.sdmp, 6d1078.msi.4.dr

Spreading:

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: z:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: x:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: v:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: t:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: r:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: p:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: n:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: l:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: j:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: h:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: f:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: b:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: y:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: w:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: u:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: s:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: q:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: o:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: m:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: k:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: i:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: g:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: e:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: c:			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: a:			Jump to behavior

Networking:

Found strings which match to known social media urls

Source: cX0XLcXbVY.exe

String found in binary or memory: !LShell32.dllShlwapi.dllbinSoftware\JavaSoft\Java Runtime Environment\Software\JavaSoft\Java Development Kit\JavaHomeFlashWindowFlashWindowExKernel32.dllGetPackagePathhttp://www.yahoo.comhttp://www.google.comTESThttp://www.example.comtin9999.tmp.partattachmentHEAD "=charsetfilename123DLDutf-8POSTISO-8859-1utf-16AdvancedInstallerUS-ASCIILocal Network ServerGET*/*FTP ServerRange: bytes=%u- equals www.yahoo.com (Yahoo)

Source: cX0XLcXbVY.exe, 00000000.00000000.345597742.0000000000C95000.00000002.00020000.sdmp, cX0XLcXbVY.exe, 00000000.00000002.451948964.0000000000C95000.00000002.00020000.sdmp

String found in binary or memory: Shell32.dllShlwapi.dllbinSoftware\JavaSoft\Java Runtime Environment\Software\JavaSoft\Java Development Kit\JavaHomeFlashWindowFlashWindowExKernel32.dllGetPackagePathhttp://www.yahoo.comhttp://www.google.comTESThttp://www.example.comtin9999.tmp.partattachmentHEAD "=charsetfilename123DLDutf-8POSTISO-8859-1utf-16AdvancedInstallerUS-ASCIILocal Network ServerGET*/*FTP ServerRange: bytes=%u- equals www.yahoo.com (Yahoo)

URLs found in memory or binary data

Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, ssleay32.dll.0.dr	String found in binary or memory: http://aia.startssl.com/certs/ca.crt02
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, ssleay32.dll.0.dr	String found in binary or memory: http://aia.startssl.com/certs/sub.class2.code.ca.crt0#
Source: cX0XLcXbVY.exe, 00000000.00000003.395526825.0000000004E59000.00000004.00000001.sdmp, plcd-player.exe, 0000000D.00000002.615817689.000000000126A000.00000002.00020000.sdmp	String found in binary or memory: http://apache.org/xml/UnknownNSUCS4UCS-4UCS_4UTF-32ISO-10646-UCS-4UCS-4
Source: cX0XLcXbVY.exe, 00000000.00000003.395526825.0000000004E59000.00000004.00000001.sdmp, plcd-player.exe, 0000000D.00000002.615817689.000000000126A000.00000002.00020000.sdmp	String found in binary or memory: http://apache.org/xml/messages/XML4CErrors#FIXEDEBCDIC-CP-USIBM037IBM1047IBM-1047IBM1140IBM01140CCSI
Source: cX0XLcXbVY.exe, 00000000.00000003.395526825.0000000004E59000.00000004.00000001.sdmp, plcd-player.exe, 0000000D.00000002.615817689.000000000126A000.00000002.00020000.sdmp	String found in binary or memory: http://apache.org/xml/messages/XMLValidityWINDOWS-1252XERCES-XMLCHhttp://apache.org/xml/messages/XML
Source: cX0XLcXbVY.exe, 00000000.00000003.450916660.0000000002F61000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.449834940.0000000002F51000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootC
Source: cX0XLcXbVY.exe, MSI7F13.tmp.0.dr, 6d1078.msi.4.dr, AWSSDK.SimpleDB.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: cX0XLcXbVY.exe, MSI7F13.tmp.0.dr, 6d1078.msi.4.dr, AWSSDK.SimpleDB.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.395705306.0000000004F26000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.395705306.0000000004F26000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSAExtendedValidationCodeSigningCA.crl0
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, ssleay32.dll.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: cX0XLcXbVY.exe, 00000000.00000003.356451186.0000000000916000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.353841384.0000000000916000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.390820264.0000000000916000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000002.451599928.0000000000916000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.353764378.0000000000916000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.450250541.0000000000916000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, ssleay32.dll.0.dr	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, ssleay32.dll.0.dr	String found in binary or memory: http://crl.startssl.com/crtc2-crl.crl0
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, ssleay32.dll.0.dr	String found in binary or memory: http://crl.startssl.com/sfsca.crl0C
Source: cX0XLcXbVY.exe, MSI7F13.tmp.0.dr, 6d1078.msi.4.dr, AWSSDK.SimpleDB.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: cX0XLcXbVY.exe, MSI7F13.tmp.0.dr, 6d1078.msi.4.dr, AWSSDK.SimpleDB.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: cX0XLcXbVY.exe, MSI7F13.tmp.0.dr, 6d1078.msi.4.dr, AWSSDK.SimpleDB.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: cX0XLcXbVY.exe, 00000000.00000003.450916660.0000000002F61000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.449834940.0000000002F51000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assuP
Source: cX0XLcXbVY.exe, MSI7F13.tmp.0.dr, 6d1078.msi.4.dr, AWSSDK.SimpleDB.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: cX0XLcXbVY.exe, 00000000.00000003.353841384.0000000000916000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.353764378.0000000000916000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/
Source: cX0XLcXbVY.exe, 00000000.00000003.353841384.0000000000916000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.353764378.0000000000916000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/Z0
Source: cX0XLcXbVY.exe, 00000000.00000002.453043589.0000000002F62000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.450916660.0000000002F61000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.449834940.0000000002F51000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: cX0XLcXbVY.exe, 00000000.00000003.450867423.0000000000861000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.353841384.0000000000916000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.353764378.0000000000916000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000002.451339906.0000000000862000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: cX0XLcXbVY.exe, 00000000.00000003.353836394.0000000000913000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.353758780.000000000090E000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?590d46a8258e4
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp	String found in binary or memory: http://icu-project.org
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, ssleay32.dll.0.dr	String found in binary or memory: http://mybusinesscatalog.com0
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.395705306.0000000004F26000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.395705306.0000000004F26000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.dr	String found in binary or memory: http://ocsp.comodoca.com0B
Source: cX0XLcXbVY.exe, MSI7F13.tmp.0.dr, 6d1078.msi.4.dr, AWSSDK.SimpleDB.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: cX0XLcXbVY.exe, MSI7F13.tmp.0.dr, 6d1078.msi.4.dr, AWSSDK.SimpleDB.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, ssleay32.dll.0.dr	String found in binary or memory: http://ocsp.startssl.com/ca00
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, ssleay32.dll.0.dr	String found in binary or memory: http://ocsp.startssl.com/sub/class2/code/ca0
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, ssleay32.dll.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: cX0XLcXbVY.exe, 00000000.00000003.350466893.00000000031B3000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.390756946.00000000008EA000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.350311744.0000000003050000.00000004.00000001.sdmp, MSI7F13.tmp.0.dr, 6d1078.msi.4.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: cX0XLcXbVY.exe, 00000000.00000003.350466893.00000000031B3000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.390756946.00000000008EA000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.350311744.0000000003050000.00000004.00000001.sdmp, MSI7F13.tmp.0.dr, 6d1078.msi.4.dr	String found in binary or memory: http://t2.symcb.com0
Source: cX0XLcXbVY.exe, 00000000.00000003.350466893.00000000031B3000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.390756946.00000000008EA000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.350311744.0000000003050000.00000004.00000001.sdmp, MSI7F13.tmp.0.dr, 6d1078.msi.4.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: cX0XLcXbVY.exe, 00000000.00000003.350466893.00000000031B3000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.390756946.00000000008EA000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.350311744.0000000003050000.00000004.00000001.sdmp, MSI7F13.tmp.0.dr, 6d1078.msi.4.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: cX0XLcXbVY.exe, 00000000.00000003.350466893.00000000031B3000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.390756946.00000000008EA000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.350311744.0000000003050000.00000004.00000001.sdmp, MSI7F13.tmp.0.dr, 6d1078.msi.4.dr	String found in binary or memory: http://tl.symcd.com0&
Source: cX0XLcXbVY.exe, 00000000.00000003.395088538.0000000004B30000.00000004.00000001.sdmp	String found in binary or memory: http://www.MyBusinessCatalog.com
Source: cX0XLcXbVY.exe, MSI7F13.tmp.0.dr, 6d1078.msi.4.dr, AWSSDK.SimpleDB.dll.4.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: cX0XLcXbVY.exe, 00000000.00000003.395088538.0000000004B30000.00000004.00000001.sdmp	String found in binary or memory: http://www.ecb.int/vocabulary/2002-08-01/eurofxref
Source: cX0XLcXbVY.exe, 00000000.00000003.395088538.0000000004B30000.00000004.00000001.sdmp	String found in binary or memory: http://www.gesmes.org/xml/2002-08-01
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, ssleay32.dll.0.dr	String found in binary or memory: http://www.openssl.org/V
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEPRNG
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, ssleay32.dll.0.dr	String found in binary or memory: http://www.startssl.com/0
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, ssleay32.dll.0.dr	String found in binary or memory: http://www.startssl.com/policy.pdf0
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.unicode.org/copyright.html
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.dr	String found in binary or memory: https://aka.ms/azsdkvalueprop.
Source: currencysystem5.json.0.dr	String found in binary or memory: https://currencysystem.com
Source: cX0XLcXbVY.exe, 00000000.00000003.395088538.0000000004B30000.00000004.00000001.sdmp	String found in binary or memory: https://currencysystem.com/gfx/pub/script-button-88x31.gif
Source: cX0XLcXbVY.exe, 00000000.00000003.395088538.0000000004B30000.00000004.00000001.sdmp, currencysystem5.json.0.dr	String found in binary or memory: https://currencysystem.com/gfx/pub/script-button-88x31.png
Source: cX0XLcXbVY.exe, 00000000.00000003.395088538.0000000004B30000.00000004.00000001.sdmp	String found in binary or memory: https://currencysystem.com/gfx/pub/script-icon-16x16.gif
Source: cX0XLcXbVY.exe, 00000000.00000003.395088538.0000000004B30000.00000004.00000001.sdmp, currencysystem5.json.0.dr	String found in binary or memory: https://currencysystem.com/gfx/pub/script-icon-16x16.png
Source: plcd-player.exe, 0000000D.00000003.576522904.0000000000B85000.00000004.00000001.sdmp	String found in binary or memory: https://get.updates.avast.cn/sreamble/1yYwg5JPV/TTMEh_2Bvq0Lam2KQ1N6/CbCST3fFsNMsZldokdK/BsvHxVUlWny
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.395705306.0000000004F26000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0D
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.395705306.0000000004F26000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.dr	String found in binary or memory: https://secure.comodo.com/CPS0L
Source: cX0XLcXbVY.exe, 00000000.00000003.350466893.00000000031B3000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.390756946.00000000008EA000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.350311744.0000000003050000.00000004.00000001.sdmp, MSI7F13.tmp.0.dr, 6d1078.msi.4.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: cX0XLcXbVY.exe, MSI7F13.tmp.0.dr, 6d1078.msi.4.dr, AWSSDK.SimpleDB.dll.4.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, ssleay32.dll.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, ssleay32.dll.0.dr	String found in binary or memory: https://www.globalsign.com/repository/03
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.dr	String found in binary or memory: https://www.nuget.org/packages/Azure.Security.KeyVault.Certificates
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.dr	String found in binary or memory: https://www.nuget.org/packages/Azure.Security.KeyVault.Keys
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.dr	String found in binary or memory: https://www.nuget.org/packages/Azure.Security.KeyVault.Secrets
Source: cX0XLcXbVY.exe, 00000000.00000003.350466893.00000000031B3000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.390756946.00000000008EA000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.350311744.0000000003050000.00000004.00000001.sdmp, MSI7F13.tmp.0.dr, 6d1078.msi.4.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: cX0XLcXbVY.exe, 00000000.00000003.350466893.00000000031B3000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.390756946.00000000008EA000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.350311744.0000000003050000.00000004.00000001.sdmp, MSI7F13.tmp.0.dr, 6d1078.msi.4.dr	String found in binary or memory: https://www.thawte.com/repository0W

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: get.updates.avast.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 0000000D.00000003.600995271.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.600967840.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.600893144.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.600863435.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.600982689.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.600919117.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.600945104.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.600828207.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.617093902.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: plcd-player.exe PID: 6692, type: MEMORYSTR
Source: Yara match	File source: 13.2.plcd-player.exe.2fb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.plcd-player.exe.33c94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.plcd-player.exe.33c94a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.617030577.00000000033C9000.00000004.00000040.sdmp, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 0000000D.00000003.600995271.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.600967840.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.600893144.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.600863435.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.600982689.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.600919117.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.600945104.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.600828207.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.617093902.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: plcd-player.exe PID: 6692, type: MEMORYSTR
Source: Yara match	File source: 13.2.plcd-player.exe.2fb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.plcd-player.exe.33c94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.plcd-player.exe.33c94a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.617030577.00000000033C9000.00000004.00000040.sdmp, type: MEMORY

System Summary:

PE file has a writeable .text section

Source: plcd-player.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: plcd-player.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Writes or reads registry keys via WMI

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Uses 32bit PE files

Source: cX0XLcXbVY.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI1625.tmp

Jump to behavior

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\6d1078.msi

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	Code function: 0_3_008E7F62		0_3_008E7F62
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	Code function: 0_3_008E7F62		0_3_008E7F62
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	Code function: 0_3_008E9790		0_3_008E9790
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	Code function: 0_3_008E7F62		0_3_008E7F62
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	Code function: 0_3_008E7F62		0_3_008E7F62
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 13_2_02FBAFC0		13_2_02FBAFC0
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 13_2_02FB7FBE		13_2_02FB7FBE
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 13_2_02FB836E		13_2_02FB836E
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 13_2_0103BD60		13_2_0103BD60
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 13_2_01065D70		13_2_01065D70
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 13_2_011D35A3		13_2_011D35A3
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 13_2_011D3483		13_2_011D3483
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 13_2_011B74B9		13_2_011B74B9
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 13_2_011C44AF		13_2_011C44AF
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 13_2_01042300		13_2_01042300
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 13_2_011AEFC1		13_2_011AEFC1

Contains functionality to call native functions

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 13_2_01001703 NtMapViewOfSection,		13_2_01001703
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 13_2_01001C90 GetProcAddress,NtCreateSection,memset,		13_2_01001C90
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 13_2_010019A0 NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,GetLastError,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,		13_2_010019A0
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 13_2_02FB9A0F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		13_2_02FB9A0F
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 13_2_02FBB1E5 NtQueryVirtualMemory,		13_2_02FBB1E5

Sample file is different than original file name gathered from version info

Source: cX0XLcXbVY.exe, 00000000.00000003.350466893.00000000031B3000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSoftwareDetector.dllF vs cX0XLcXbVY.exe
Source: cX0XLcXbVY.exe, 00000000.00000003.350466893.00000000031B3000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamePrereq.dllF vs cX0XLcXbVY.exe
Source: cX0XLcXbVY.exe, 00000000.00000002.452293156.0000000000CFD000.00000002.00020000.sdmp	Binary or memory string: OriginalFileNameplcd-player.exe> vs cX0XLcXbVY.exe
Source: cX0XLcXbVY.exe, 00000000.00000003.450818856.00000000008B8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamefusion.dllT vs cX0XLcXbVY.exe
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameicuio58.dll vs cX0XLcXbVY.exe
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUtilities_HelperlL vs cX0XLcXbVY.exe
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamelibeay32.dllH vs cX0XLcXbVY.exe
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Azure.KeyVault.Core.dll> vs cX0XLcXbVY.exe
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSslCertBinding.Net.dllH vs cX0XLcXbVY.exe
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamessleay32.dllH vs cX0XLcXbVY.exe
Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSystem.Threading.Tasks.dllP vs cX0XLcXbVY.exe
Source: cX0XLcXbVY.exe, 00000000.00000003.346953883.0000000000892000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDecoder.dllF vs cX0XLcXbVY.exe
Source: cX0XLcXbVY.exe, 00000000.00000003.450144518.00000000008B8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamefusion.dllT vs cX0XLcXbVY.exe
Source: cX0XLcXbVY.exe, 00000000.00000003.450313012.00000000008B8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamefusion.dllT vs cX0XLcXbVY.exe
Source: cX0XLcXbVY.exe, 00000000.00000003.350311744.0000000003050000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamelzmaextractor.dllF vs cX0XLcXbVY.exe
Source: cX0XLcXbVY.exe, 00000000.00000003.350311744.0000000003050000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAICustAct.dllF vs cX0XLcXbVY.exe
Source: cX0XLcXbVY.exe, 00000000.00000003.395705306.0000000004F26000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameJDesktop.tools vs cX0XLcXbVY.exe
Source: cX0XLcXbVY.exe, 00000000.00000003.395705306.0000000004F26000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAWSSDK.SimpleDB.dllb! vs cX0XLcXbVY.exe
Source: cX0XLcXbVY.exe, 00000000.00000003.395705306.0000000004F26000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDelimon.Win32.IO.dllD vs cX0XLcXbVY.exe
Source: cX0XLcXbVY.exe, 00000000.00000003.395705306.0000000004F26000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameICSharpCode.SharpZipLib.dll8 vs cX0XLcXbVY.exe
Source: cX0XLcXbVY.exe	Binary or memory string: OriginalFileNameplcd-player.exe> vs cX0XLcXbVY.exe
Source: cX0XLcXbVY.exe	Binary or memory string: OriginalFilenameDecoder.dllF vs cX0XLcXbVY.exe

PE file contains strange resources

Source: cX0XLcXbVY.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: plcd-player.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: plcd-player.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	Section loaded: lpk.dll			Jump to behavior
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	Section loaded: tsappcmp.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Section loaded: libftl2.dll			Jump to behavior

PE / OLE file has an invalid certificate

Source: cX0XLcXbVY.exe

Static PE information: invalid certificate

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: Delimon.Win32.IO.dll.0.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Sample is known by Antivirus

Source: cX0XLcXbVY.exe	Virustotal: Detection: 47%
Source: cX0XLcXbVY.exe	Metadefender: Detection: 22%
Source: cX0XLcXbVY.exe	ReversingLabs: Detection: 37%

Sample reads its own file content

Source: C:\Users\user\Desktop\cX0XLcXbVY.exe

File read: C:\Users\user\Desktop\cX0XLcXbVY.exe

Jump to behavior

PE file has an executable .text section and no other executable section

Source: cX0XLcXbVY.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Users\user\Desktop\cX0XLcXbVY.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\cX0XLcXbVY.exe "C:\Users\user\Desktop\cX0XLcXbVY.exe"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 466E61448170B49278D25BB3E382004E C
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\adv.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\cX0XLcXbVY.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1637876815 " AI_EUIMSI="
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 613EB8117F938DA5BF4F1D396689AB1F
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\adv.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\cX0XLcXbVY.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1637876815 " AI_EUIMSI="			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 466E61448170B49278D25BB3E382004E C			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 613EB8117F938DA5BF4F1D396689AB1F			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\cX0XLcXbVY.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Creates files inside the user directory

Source: C:\Users\user\Desktop\cX0XLcXbVY.exe

File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project

Jump to behavior

Creates temporary files

Source: C:\Users\user\Desktop\cX0XLcXbVY.exe

File created: C:\Users\user\AppData\Local\Temp\shi7A5E.tmp

Jump to behavior

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/70@1/0

Reads ini files

Source: C:\Users\user\Desktop\cX0XLcXbVY.exe

File read: C:\Users\desktop.ini

Jump to behavior

.NET source code contains functionality to register a task

Source: System.Threading.Tasks.dll.0.dr, Runtime.CompilerServices/AsyncMethodTaskCache<TResult>.cs	Task registration methods: 'CreateCache', 'CreateCompleted'
Source: System.Threading.Tasks.dll.0.dr, Runtime.CompilerServices/AsyncTaskMethodBuilder<TResult>.cs	Task registration methods: 'Create'
Source: System.Threading.Tasks.dll.0.dr, Runtime.CompilerServices/AsyncTaskMethodBuilder.cs	Task registration methods: 'Create'

Contains functionality to enum processes or threads

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe

Code function: 13_2_02FB8F1B CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

13_2_02FB8F1B

Binary contains paths to development resources

Source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp

Binary or memory string: c:\b\4741\2125\src\intermediate\System.Threading.Tasks.v2.5.csproj_75e1c727\Release\System.Threading.Tasks.pdb

.NET source code contains calls to encryption/decryption functions

Source: ICSharpCode.SharpZipLib.dll.0.dr, ICSharpCode.SharpZipLib/Zip/Compression/Streams/InflaterInputBuffer.cs	Cryptographic APIs: 'TransformBlock'
Source: ICSharpCode.SharpZipLib.dll.0.dr, ICSharpCode.SharpZipLib/Zip/Compression/Streams/InflaterInputBuffer.cs	Cryptographic APIs: 'TransformBlock'
Source: ICSharpCode.SharpZipLib.dll.0.dr, ICSharpCode.SharpZipLib/Zip/Compression/Streams/DeflaterOutputStream.cs	Cryptographic APIs: 'TransformBlock'
Source: ICSharpCode.SharpZipLib.dll.0.dr, ICSharpCode.SharpZipLib/Encryption/ZipAESTransform.cs	Cryptographic APIs: 'TransformBlock'

Reads the hosts file

Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

PE file has a big code size

Source: cX0XLcXbVY.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Submission file is bigger than most known malware samples

Source: cX0XLcXbVY.exe

Static file information: File size 7835392 > 1048576

PE file has a big raw section

Source: cX0XLcXbVY.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x183c00

PE file contains a mix of data directories often seen in goodware

Source: cX0XLcXbVY.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: cX0XLcXbVY.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: cX0XLcXbVY.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: cX0XLcXbVY.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: cX0XLcXbVY.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: cX0XLcXbVY.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: cX0XLcXbVY.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

PE file contains a debug data directory

Source: cX0XLcXbVY.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: c:\Data\SkyDrive\Programming\Projects\Delimon\Delimon.Win32.IO 2013\Win32FileLibrary\obj\Release\Delimon.Win32.IO.pdb source: cX0XLcXbVY.exe, 00000000.00000003.395705306.0000000004F26000.00000004.00000001.sdmp, Delimon.Win32.IO.dll.0.dr
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: cX0XLcXbVY.exe, decoder.dll.0.dr
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb2 source: cX0XLcXbVY.exe, decoder.dll.0.dr
Source:	Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\ssleay32.pdb @ source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, ssleay32.dll.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: cX0XLcXbVY.exe, 00000000.00000003.350311744.0000000003050000.00000004.00000001.sdmp, MSI7F13.tmp.0.dr, 6d1078.msi.4.dr
Source:	Binary string: E:\JenkinsWorkspaces\v3-trebuchet-release\AWSDotNetPublic\sdk\src\Services\SimpleDB\obj\net35\Release\net35\AWSSDK.SimpleDB.pdbp source: cX0XLcXbVY.exe, 00000000.00000003.395705306.0000000004F26000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb] source: cX0XLcXbVY.exe, 00000000.00000003.350311744.0000000003050000.00000004.00000001.sdmp, MSI7F13.tmp.0.dr, 6d1078.msi.4.dr
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdbk source: cX0XLcXbVY.exe
Source:	Binary string: D:\a\1\s\artifacts\obj\Microsoft.Azure.KeyVault.Core\Release\net452\Microsoft.Azure.KeyVault.Core.pdb source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: cX0XLcXbVY.exe, 00000000.00000003.350311744.0000000003050000.00000004.00000001.sdmp, 6d1078.msi.4.dr
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: cX0XLcXbVY.exe
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdb source: cX0XLcXbVY.exe, 00000000.00000003.350466893.00000000031B3000.00000004.00000001.sdmp, 6d1078.msi.4.dr
Source:	Binary string: C:\Users\User\AppData\Local\Temp\icu_32\lib\icuio.pdb source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdbi source: cX0XLcXbVY.exe, 00000000.00000003.350466893.00000000031B3000.00000004.00000001.sdmp, 6d1078.msi.4.dr
Source:	Binary string: E:\JenkinsWorkspaces\v3-trebuchet-release\AWSDotNetPublic\sdk\src\Services\SimpleDB\obj\net35\Release\net35\AWSSDK.SimpleDB.pdb source: cX0XLcXbVY.exe, 00000000.00000003.395705306.0000000004F26000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.4.dr
Source:	Binary string: C:\Users\User\AppData\Local\Temp\icu_32\lib\icuio.pdb"" source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp
Source:	Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\ssleay32.pdb source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, ssleay32.dll.0.dr
Source:	Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\libeay32.pdb0k source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp
Source:	Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\libeay32.pdb source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp
Source:	Binary string: c:\b\4741\2125\src\intermediate\System.Threading.Tasks.v2.5.csproj_75e1c727\Release\System.Threading.Tasks.pdb source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp
Source:	Binary string: D:\a\1\s\artifacts\obj\Microsoft.Azure.KeyVault.Core\Release\net452\Microsoft.Azure.KeyVault.Core.pdbSHA256 source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.4.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbj source: cX0XLcXbVY.exe, 00000000.00000003.350311744.0000000003050000.00000004.00000001.sdmp, 6d1078.msi.4.dr
Source:	Binary string: d:\projects\SslCertBinding.Net\src\SslCertBinding.Net\obj\Release\SslCertBinding.Net.pdb source: cX0XLcXbVY.exe, 00000000.00000003.395890568.00000000050AE000.00000004.00000001.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: cX0XLcXbVY.exe, 00000000.00000003.350311744.0000000003050000.00000004.00000001.sdmp, 6d1078.msi.4.dr

PE file contains a valid data directory to section mapping

Source: cX0XLcXbVY.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: cX0XLcXbVY.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: cX0XLcXbVY.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: cX0XLcXbVY.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: cX0XLcXbVY.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe

Unpacked PE file: 13.2.plcd-player.exe.1000000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe

Unpacked PE file: 13.2.plcd-player.exe.1000000.0.unpack .text:EW;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	Code function: 0_3_008D3A80 push edi; retf		0_3_008D3A88
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	Code function: 0_3_008D3A80 push edi; retf		0_3_008D3A88
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	Code function: 0_3_008D0639 push edx; retf		0_3_008D0641
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	Code function: 0_3_008D0639 push edx; retf		0_3_008D0641
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	Code function: 0_3_008D0678 push ebp; retf		0_3_008D0679
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	Code function: 0_3_008D0678 push ebp; retf		0_3_008D0679
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	Code function: 0_3_008D3A80 push edi; retf		0_3_008D3A88
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	Code function: 0_3_008D3A80 push edi; retf		0_3_008D3A88
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	Code function: 0_3_008D0639 push edx; retf		0_3_008D0641
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	Code function: 0_3_008D0639 push edx; retf		0_3_008D0641
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	Code function: 0_3_008D0678 push ebp; retf		0_3_008D0679
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	Code function: 0_3_008D0678 push ebp; retf		0_3_008D0679
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 13_2_02FBE62F push edi; retf		13_2_02FBE630
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 13_2_02FBAC00 push ecx; ret		13_2_02FBAC09
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 13_2_02FBAFAF push ecx; ret		13_2_02FBAFBF
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 13_2_02FBE9AC push 0B565A71h; ret		13_2_02FBE9B1
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 13_2_011E5731 push ecx; ret		13_2_011E5744

PE file contains sections with non-standard names

Source: shi7A5E.tmp.0.dr	Static PE information: section name: .wpp_sf
Source: shi7A5E.tmp.0.dr	Static PE information: section name: .didat

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe

Code function: 13_2_01001264 LoadLibraryA,GetProcAddress,

13_2_01001264

PE file contains an invalid checksum

Source: decoder.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x378b8
Source: lcms-5.0.dll.4.dr	Static PE information: real checksum: 0x4a44af should be: 0x4c891f
Source: lcms-5.0.dll.0.dr	Static PE information: real checksum: 0x4a44af should be: 0x4c891f

Binary contains a suspicious time stamp

Source: shi7A5E.tmp.0.dr

Static PE information: 0x72F9C735 [Sun Feb 16 01:34:45 2031 UTC]

Binary may include packed or encrypted code

Source: initial sample

Static PE information: section name: .text entropy: 7.27378716859

Persistence and Installation Behavior:

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ml			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\ml			Jump to dropped file

Drops PE files

Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\icuio58.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\icuio58.dll			Jump to dropped file
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\AWSSDK.SimpleDB.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1C63.tmp			Jump to dropped file
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\libeay32.dll			Jump to dropped file
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ssleay32.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1D9D.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\System.Threading.Tasks.dll			Jump to dropped file
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File created: C:\Users\user\AppData\Local\Temp\shi7A5E.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1625.tmp			Jump to dropped file
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File created: C:\Users\user\AppData\Local\Temp\MSI7C24.tmp			Jump to dropped file
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\plcd-player.exe			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1B39.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Delimon.Win32.IO.dll			Jump to dropped file
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Delimon.Win32.IO.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe			Jump to dropped file
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File created: C:\Users\user\AppData\Local\Temp\MSI7F13.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\ICSharpCode.SharpZipLib.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\AWSSDK.SimpleDB.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\libeay32.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\SslCertBinding.Net.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\ssleay32.dll			Jump to dropped file
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Microsoft.Azure.KeyVault.Core.dll			Jump to dropped file
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\SslCertBinding.Net.dll			Jump to dropped file
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ICSharpCode.SharpZipLib.dll			Jump to dropped file
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\System.Threading.Tasks.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI18B7.tmp			Jump to dropped file
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\lcms-5.0.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\lcms-5.0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\decoder.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Microsoft.Azure.KeyVault.Core.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI19E0.tmp			Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1B39.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1C63.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1D9D.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI18B7.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1625.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI19E0.tmp			Jump to dropped file

Creates license or readme file

Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\CrashRpt License.txt			Jump to behavior
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\License.txt			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\License.txt			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\CrashRpt License.txt			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 0000000D.00000003.600995271.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.600967840.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.600893144.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.600863435.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.600982689.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.600919117.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.600945104.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.600828207.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.617093902.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: plcd-player.exe PID: 6692, type: MEMORYSTR
Source: Yara match	File source: 13.2.plcd-player.exe.2fb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.plcd-player.exe.33c94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.plcd-player.exe.33c94a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.617030577.00000000033C9000.00000004.00000040.sdmp, type: MEMORY

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\cX0XLcXbVY.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\cX0XLcXbVY.exe TID: 6980	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe TID: 6832	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe TID: 6784	Thread sleep time: -240000s >= -30000s			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Delimon.Win32.IO.dll			Jump to dropped file
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\icuio58.dll			Jump to dropped file
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Delimon.Win32.IO.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\icuio58.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1C63.tmp			Jump to dropped file
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\AWSSDK.SimpleDB.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\ICSharpCode.SharpZipLib.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\AWSSDK.SimpleDB.dll			Jump to dropped file
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\libeay32.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\libeay32.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\SslCertBinding.Net.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\ssleay32.dll			Jump to dropped file
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ssleay32.dll			Jump to dropped file
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Microsoft.Azure.KeyVault.Core.dll			Jump to dropped file
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\SslCertBinding.Net.dll			Jump to dropped file
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ICSharpCode.SharpZipLib.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\System.Threading.Tasks.dll			Jump to dropped file
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\System.Threading.Tasks.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI18B7.tmp			Jump to dropped file
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi7A5E.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Microsoft.Azure.KeyVault.Core.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI19E0.tmp			Jump to dropped file

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe

Thread delayed: delay time: 240000

Jump to behavior

Queries a list of all running processes

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Contains medium sleeps (>= 30s)

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Thread delayed: delay time: 240000			Jump to behavior

Checks the free space of harddrives

Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File Volume queried: C:\Users\user\AppData\Roaming FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: 6d1078.msi.4.dr

Binary or memory string: RegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+

Source: cX0XLcXbVY.exe, 00000000.00000002.453449521.0000000002FA8000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000002.453043589.0000000002F62000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.450916660.0000000002F61000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.356451186.0000000000916000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.353841384.0000000000916000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.449834940.0000000002F51000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.390820264.0000000000916000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000002.451599928.0000000000916000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.353764378.0000000000916000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.450250541.0000000000916000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.450972250.0000000002FA8000.00000004.00000001.sdmp, cX0XLcXbVY.exe, 00000000.00000003.449981847.0000000002FA8000.00000004.00000001.sdmp

Binary or memory string: Hyper-V RAW

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe

Code function: 13_2_6E6D6FED IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

13_2_6E6D6FED

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe

Code function: 13_2_01001264 LoadLibraryA,GetProcAddress,

13_2_01001264

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 13_2_6E6E5BE9 mov eax, dword ptr fs:[00000030h]		13_2_6E6E5BE9
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 13_2_011C6DDC mov eax, dword ptr fs:[00000030h]		13_2_011C6DDC
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 13_2_011B5B18 mov eax, dword ptr fs:[00000030h]		13_2_011B5B18
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 13_2_011FAC46 mov eax, dword ptr fs:[00000030h]		13_2_011FAC46

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe

Jump to behavior

Contains functionality to register its own exception handler

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 13_2_6E6D6FED IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		13_2_6E6D6FED
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 13_2_6E6C7D41 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		13_2_6E6C7D41
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 13_2_011A7C2C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		13_2_011A7C2C
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 13_2_011B9C76 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		13_2_011B9C76

HIPS / PFW / Operating System Protection Evasion:

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\adv.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\cX0XLcXbVY.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1637876815 " AI_EUIMSI="
Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\adv.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\cX0XLcXbVY.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1637876815 " AI_EUIMSI="			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: plcd-player.exe, 0000000D.00000002.616342981.00000000015A0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: plcd-player.exe, 0000000D.00000002.616342981.00000000015A0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: plcd-player.exe, 0000000D.00000002.616342981.00000000015A0000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: plcd-player.exe, 0000000D.00000002.616342981.00000000015A0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\cX0XLcXbVY.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: EnumSystemLocalesW,		13_2_011C655F
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,		13_2_011CE954
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: EnumSystemLocalesW,		13_2_011CE550
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,		13_2_011CE1C8
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: EnumSystemLocalesW,		13_2_011CE46A
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: EnumSystemLocalesW,		13_2_011CE4B5
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,		13_2_011CEB29
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: GetLocaleInfoW,		13_2_011C6AC1

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe

Code function: 13_2_02FB7A2E cpuid

13_2_02FB7A2E

Queries the cryptographic machine GUID

Source: C:\Users\user\Desktop\cX0XLcXbVY.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Contains functionality to query local / system time

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe

Code function: 13_2_01001E22 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

13_2_01001E22

Contains functionality to query windows version

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe

Code function: 13_2_01001752 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

13_2_01001752

Contains functionality to query the account / user name

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe

Code function: 13_2_02FB7A2E RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

13_2_02FB7A2E

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 0000000D.00000003.600995271.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.600967840.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.600893144.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.600863435.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.600982689.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.600919117.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.600945104.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.600828207.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.617093902.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: plcd-player.exe PID: 6692, type: MEMORYSTR
Source: Yara match	File source: 13.2.plcd-player.exe.2fb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.plcd-player.exe.33c94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.plcd-player.exe.33c94a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.617030577.00000000033C9000.00000004.00000040.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 0000000D.00000003.600995271.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.600967840.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.600893144.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.600863435.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.600982689.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.600919117.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.600945104.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.600828207.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.617093902.0000000003888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: plcd-player.exe PID: 6692, type: MEMORYSTR
Source: Yara match	File source: 13.2.plcd-player.exe.2fb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.plcd-player.exe.33c94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.plcd-player.exe.33c94a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.617030577.00000000033C9000.00000004.00000040.sdmp, type: MEMORY