Loading ...

Play interactive tourEdit tour

Windows Analysis Report Original Doc Ref SN02853801324189923.exe

Overview

General Information

Sample Name:Original Doc Ref SN02853801324189923.exe
Analysis ID:542742
MD5:2b40b86c870ab6b0e9b08f26bd231e1a
SHA1:78a6fc51761c25fe571fec37ca4beaa13d7b5d48
SHA256:6c9c9bd77d704ca8c48a0125289e0e15e75f62f09d40ffad58a24bd96c3a57c0
Tags:exeguloaderxloader
Infos:

Most interesting Screenshot:

Detection

GuLoader FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Generic Dropper
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
GuLoader behavior detected
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Yara detected GuLoader
Hides threads from debuggers
Maps a DLL or memory area into another process
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
PE file contains executable resources (Code or Archives)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Enables debug privileges
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Original Doc Ref SN02853801324189923.exe (PID: 6352 cmdline: "C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe" MD5: 2B40B86C870AB6B0E9B08F26BD231E1A)
    • Semiha.exe (PID: 6404 cmdline: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Semiha.exe MD5: AE871D1957030344D4CEFC7295A1E964)
      • Semiha.exe (PID: 5580 cmdline: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Semiha.exe MD5: AE871D1957030344D4CEFC7295A1E964)
        • explorer.exe (PID: 3292 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • rundll32.exe (PID: 6612 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.thesocialmediacreator.com/i638/"], "decoy": ["serenitynailandspanj.com", "health-dodo.com", "agjordan.net", "retro-kids.com", "bobbygoldsports.com", "seitai-kuuto369.com", "sooga.club", "ezsweswrwy68.biz", "1006e.com", "libinyu.com", "prolinkdm.com", "pilysc.com", "blim.xyz", "eshop-dekorax.com", "timestretchmusic.com", "bs6351.com", "diamondmoodle.com", "antioxida.com", "sakugastudios.com", "metaverse-coaching.com", "motometics.com", "illumination-garage.com", "thelocalsproject.com", "erealestater.com", "frankenamazing.com", "arab-enterprises.com", "e15datadev.com", "bet365star.online", "bttextiles.com", "originaltradebot.icu", "test-testjisdnsec.net", "cloudwerx.digital", "gsjbd10.club", "joshuaearp.xyz", "tvaluehelp.com", "quietplaceintheforest.com", "refinanceforblue.com", "voiceoftour.com", "civicinfluence.com", "taxation-resources.com", "regeneration.land", "gogit.net", "spicynipples.com", "goldingravel.com", "selingoo.com", "aaryantech.com", "insight-j.com", "drivenbylight.net", "meipassion.com", "scuolapadelroma.store", "929671.com", "parkerdazzle.com", "yehudi-meshutaf.com", "johnsonforsheriff2022.com", "pointhunteracademy.com", "kyliiejenner.com", "tenlog066.xyz", "dobylife.com", "josemanueldelbusto.com", "vspfrme.com", "256571.com", "crossovertest.net", "fullcurlcnc.com", "theworldisheroyster.com"]}

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1vqWz"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000019.00000000.481436441.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000002.00000002.482011607.00000000029E0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      00000019.00000002.782433249.000000001E460000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        00000019.00000002.782433249.000000001E460000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        00000019.00000002.782433249.000000001E460000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
        • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
        • 0x16af8:$sqlite3text: 68 38 2A 90 C5
        • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
        • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
        Click to see the 2 entries

        Sigma Overview

        No Sigma rule has matched

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 00000002.00000002.482011607.00000000029E0000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1vqWz"}
        Source: 00000019.00000002.782433249.000000001E460000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.thesocialmediacreator.com/i638/"], "decoy": ["serenitynailandspanj.com", "health-dodo.com", "agjordan.net", "retro-kids.com", "bobbygoldsports.com", "seitai-kuuto369.com", "sooga.club", "ezsweswrwy68.biz", "1006e.com", "libinyu.com", "prolinkdm.com", "pilysc.com", "blim.xyz", "eshop-dekorax.com", "timestretchmusic.com", "bs6351.com", "diamondmoodle.com", "antioxida.com", "sakugastudios.com", "metaverse-coaching.com", "motometics.com", "illumination-garage.com", "thelocalsproject.com", "erealestater.com", "frankenamazing.com", "arab-enterprises.com", "e15datadev.com", "bet365star.online", "bttextiles.com", "originaltradebot.icu", "test-testjisdnsec.net", "cloudwerx.digital", "gsjbd10.club", "joshuaearp.xyz", "tvaluehelp.com", "quietplaceintheforest.com", "refinanceforblue.com", "voiceoftour.com", "civicinfluence.com", "taxation-resources.com", "regeneration.land", "gogit.net", "spicynipples.com", "goldingravel.com", "selingoo.com", "aaryantech.com", "insight-j.com", "drivenbylight.net", "meipassion.com", "scuolapadelroma.store", "929671.com", "parkerdazzle.com", "yehudi-meshutaf.com", "johnsonforsheriff2022.com", "pointhunteracademy.com", "kyliiejenner.com", "tenlog066.xyz", "dobylife.com", "josemanueldelbusto.com", "vspfrme.com", "256571.com", "crossovertest.net", "fullcurlcnc.com", "theworldisheroyster.com"]}
        Multi AV Scanner detection for submitted fileShow sources
        Source: Original Doc Ref SN02853801324189923.exeVirustotal: Detection: 29%Perma Link
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000019.00000002.782433249.000000001E460000.00000040.00020000.sdmp, type: MEMORY
        Multi AV Scanner detection for domain / URLShow sources
        Source: www.thesocialmediacreator.com/i638/Virustotal: Detection: 5%Perma Link
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeVirustotal: Detection: 32%Perma Link
        Machine Learning detection for sampleShow sources
        Source: Original Doc Ref SN02853801324189923.exeJoe Sandbox ML: detected
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeJoe Sandbox ML: detected
        Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exeCode function: 0_2_00FC2DAE GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,
        Source: Original Doc Ref SN02853801324189923.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: unknownHTTPS traffic detected: 172.217.168.46:443 -> 192.168.2.7:49830 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 172.217.168.1:443 -> 192.168.2.7:49831 version: TLS 1.2
        Source: Original Doc Ref SN02853801324189923.exeStatic PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: wextract.pdb source: Original Doc Ref SN02853801324189923.exe
        Source: Binary string: wntdll.pdbUGP source: Semiha.exe, 00000019.00000002.782575822.000000001E7A0000.00000040.00000001.sdmp, Semiha.exe, 00000019.00000002.782754601.000000001E8BF000.00000040.00000001.sdmp
        Source: Binary string: wntdll.pdb source: Semiha.exe, Semiha.exe, 00000019.00000002.782575822.000000001E7A0000.00000040.00000001.sdmp, Semiha.exe, 00000019.00000002.782754601.000000001E8BF000.00000040.00000001.sdmp
        Source: Binary string: wextract.pdbPp source: Original Doc Ref SN02853801324189923.exe
        Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exeCode function: 0_2_00FC21E7 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
        Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exeFile opened: C:\Users\user~1\
        Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exeFile opened: C:\Users\user~1\AppData\Local\Temp\
        Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exeFile opened: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\
        Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exeFile opened: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Semiha.exe
        Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exeFile opened: C:\Users\user~1\AppData\Local\
        Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exeFile opened: C:\Users\user~1\AppData\

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: www.thesocialmediacreator.com/i638/
        Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=1vqWz
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1vqWz_R4BQMLYr0EwMvVJ53NsyRGjMpKl HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/v1hb64q8i4krmmckqtjah3e0j55ac599/1640006700000/05208698352720309252/*/1vqWz_R4BQMLYr0EwMvVJ53NsyRGjMpKl?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-10-80-docs.googleusercontent.comConnection: Keep-Alive
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49831
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49830
        Source: unknownNetwork traffic detected: HTTP traffic on port 49830 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 443
        Source: Semiha.exe, 00000019.00000003.741035770.000000000093F000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742494256.000000000093B000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.740971825.000000000093F000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779249493.0000000000940000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742345696.000000000093B000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742566992.000000000093E000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.740899622.0000000000942000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742408013.000000000093E000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742063444.000000000093B000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: explorer.exe, 0000001C.00000000.747255053.0000000006870000.00000004.00000001.sdmp, explorer.exe, 0000001C.00000002.767904819.0000000006870000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
        Source: Semiha.exe, 00000019.00000003.741011877.0000000000981000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.740899622.0000000000942000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742044395.0000000000980000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
        Source: Semiha.exe, 00000019.00000003.741011877.0000000000981000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.740899622.0000000000942000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742044395.0000000000980000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/report-to/gse_l9ocaq
        Source: Semiha.exe, 00000019.00000003.742063444.000000000093B000.00000004.00000001.sdmpString found in binary or memory: https://doc-10-80-docs.googleusercontent.com/
        Source: Semiha.exe, 00000019.00000003.742044395.0000000000980000.00000004.00000001.sdmpString found in binary or memory: https://doc-10-80-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/v1hb64q8
        Source: Semiha.exe, 00000019.00000003.741035770.000000000093F000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742494256.000000000093B000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.740971825.000000000093F000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779249493.0000000000940000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742345696.000000000093B000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742566992.000000000093E000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742408013.000000000093E000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742063444.000000000093B000.00000004.00000001.sdmpString found in binary or memory: https://doc-10-80-docs.googleusercontent.com/g
        Source: Semiha.exe, 00000019.00000003.741035770.000000000093F000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742494256.000000000093B000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.740971825.000000000093F000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779249493.0000000000940000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742345696.000000000093B000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742566992.000000000093E000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742408013.000000000093E000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742063444.000000000093B000.00000004.00000001.sdmpString found in binary or memory: https://doc-10-80-docs.googleusercontent.com/z
        Source: Semiha.exe, 00000019.00000003.740959193.000000000093C000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1vqWz_R4BQMLYr0Ew
        Source: Semiha.exe, 00000019.00000002.779387050.00000000021D0000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742377343.0000000000916000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1vqWz_R4BQMLYr0EwMvVJ53NsyRGjMpKl
        Source: Semiha.exe, 00000019.00000003.742532708.0000000000916000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779196860.0000000000917000.00000004.00000020.sdmp, Semiha.exe, 00000019.00000003.742377343.0000000000916000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1vqWz_R4BQMLYr0EwMvVJ53NsyRGjMpKlNE-%&
        Source: Semiha.exe, 00000019.00000003.742532708.0000000000916000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779196860.0000000000917000.00000004.00000020.sdmp, Semiha.exe, 00000019.00000003.742377343.0000000000916000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1vqWz_R4BQMLYr0EwMvVJ53NsyRGjMpKljD
        Source: unknownDNS traffic detected: queries for: drive.google.com
        Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1vqWz_R4BQMLYr0EwMvVJ53NsyRGjMpKl HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/v1hb64q8i4krmmckqtjah3e0j55ac599/1640006700000/05208698352720309252/*/1vqWz_R4BQMLYr0EwMvVJ53NsyRGjMpKl?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-10-80-docs.googleusercontent.comConnection: Keep-Alive
        Source: unknownHTTPS traffic detected: 172.217.168.46:443 -> 192.168.2.7:49830 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 172.217.168.1:443 -> 192.168.2.7:49831 version: TLS 1.2

        E-Banking Fraud:

        barindex
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000019.00000002.782433249.000000001E460000.00000040.00020000.sdmp, type: MEMORY

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000019.00000002.782433249.000000001E460000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000019.00000002.782433249.000000001E460000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: Original Doc Ref SN02853801324189923.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 00000019.00000002.782433249.000000001E460000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000019.00000002.782433249.000000001E460000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exeCode function: 0_2_00FC1DC7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,
        Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exeCode function: 0_2_00FC5B88
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 2_2_029EE085
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 2_2_029EA432
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E7E6E30
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E7FEBB0
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E881002
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E7DB090
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E7C0D20
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E7E4120
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E7CF900
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E891D55
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_0056E085
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_0056A432
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 2_2_029EE085 NtResumeThread,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E8096E0 NtFreeVirtualMemory,LdrInitializeThunk,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E809660 NtAllocateVirtualMemory,LdrInitializeThunk,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E809780 NtMapViewOfSection,LdrInitializeThunk,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E809FE0 NtCreateMutant,LdrInitializeThunk,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E809860 NtQuerySystemInformation,LdrInitializeThunk,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E8099A0 NtCreateSection,LdrInitializeThunk,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E809910 NtAdjustPrivilegesToken,LdrInitializeThunk,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E809A80 NtOpenDirectoryObject,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E8096D0 NtCreateKey,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E809A00 NtProtectVirtualMemory,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E809610 NtEnumerateValueKey,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E809A10 NtQuerySection,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E809A20 NtResumeThread,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E809650 NtQueryValueKey,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E809A50 NtCreateFile,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E809670 NtQueryInformationProcess,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E8097A0 NtUnmapViewOfSection,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E80A3B0 NtGetContextThread,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E809B00 NtSetValueKey,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E80A710 NtOpenProcessToken,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E809710 NtQueryInformationToken,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E809730 NtQueryVirtualMemory,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E809760 NtOpenProcess,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E809770 NtSetInformationFile,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E80A770 NtOpenThread,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E8098A0 NtWriteVirtualMemory,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E8098F0 NtReadVirtualMemory,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E809820 NtEnumerateKey,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E809840 NtDelayExecution,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E80B040 NtSuspendThread,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E8099D0 NtCreateProcessEx,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E8095D0 NtClose,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E8095F0 NtQueryInformationFile,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E809520 NtWaitForSingleObject,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E80AD30 NtSetContextThread,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E809540 NtReadFile,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E809950 NtQueueApcThread,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E809560 NtWriteFile,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_00563133 NtProtectVirtualMemory,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_0056E7CC NtProtectVirtualMemory,
        Source: Original Doc Ref SN02853801324189923.exeStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, 66519 bytes, 1 file
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeProcess Stats: CPU usage > 98%
        Source: Original Doc Ref SN02853801324189923.exeBinary or memory string: OriginalFilename vs Original Doc Ref SN02853801324189923.exe
        Source: Original Doc Ref SN02853801324189923.exe, 00000000.00000002.485465711.0000000000FCA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs Original Doc Ref SN02853801324189923.exe
        Source: Original Doc Ref SN02853801324189923.exe, 00000000.00000000.233147704.0000000000FCA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs Original Doc Ref SN02853801324189923.exe
        Source: Original Doc Ref SN02853801324189923.exeBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs Original Doc Ref SN02853801324189923.exe
        Source: Original Doc Ref SN02853801324189923.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: Original Doc Ref SN02853801324189923.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: Original Doc Ref SN02853801324189923.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: Semiha.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: Original Doc Ref SN02853801324189923.exeVirustotal: Detection: 29%
        Source: Original Doc Ref SN02853801324189923.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
        Source: unknownProcess created: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe "C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe"
        Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Semiha.exe
        Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Semiha.exe
        Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Semiha.exe
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Semiha.exe
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32
        Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exeCode function: 0_2_00FC1DC7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,
        Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exeFile created: C:\Users\user~1\AppData\Local\Temp\IXP000.TMPJump to behavior
        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/1@2/2
        Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exeCode function: 0_2_00FC5849 GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,
        Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exeCode function: 0_2_00FC5849 GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,
        Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\
        Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exeCode function: 0_2_00FC4E80 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,#20,#22,#23,FreeResource,SendMessageA,
        Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exeCommand line argument: Kernel32.dll
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: Original Doc Ref SN02853801324189923.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
        Source: Original Doc Ref SN02853801324189923.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
        Source: Original Doc Ref SN02853801324189923.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
        Source: Original Doc Ref SN02853801324189923.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Original Doc Ref SN02853801324189923.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
        Source: Original Doc Ref SN02853801324189923.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
        Source: Original Doc Ref SN02853801324189923.exeStatic PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Original Doc Ref SN02853801324189923.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: wextract.pdb source: Original Doc Ref SN02853801324189923.exe
        Source: Binary string: wntdll.pdbUGP source: Semiha.exe, 00000019.00000002.782575822.000000001E7A0000.00000040.00000001.sdmp, Semiha.exe, 00000019.00000002.782754601.000000001E8BF000.00000040.00000001.sdmp
        Source: Binary string: wntdll.pdb source: Semiha.exe, Semiha.exe, 00000019.00000002.782575822.000000001E7A0000.00000040.00000001.sdmp, Semiha.exe, 00000019.00000002.782754601.000000001E8BF000.00000040.00000001.sdmp
        Source: Binary string: wextract.pdbPp source: Original Doc Ref SN02853801324189923.exe

        Data Obfuscation:

        barindex
        Yara detected GuLoaderShow sources
        Source: Yara matchFile source: 00000019.00000000.481436441.0000000000560000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.482011607.00000000029E0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.779078252.0000000000560000.00000040.00000001.sdmp, type: MEMORY
        Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exeCode function: 0_2_00FC78A1 push ecx; ret
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 2_2_00404C39 pushfd ; ret
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 2_2_00406D5F push ebp; iretd
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 2_2_00406B0D push ss; ret
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 2_2_029E4E50 push B1CC20AFh; ret
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 2_2_029E5276 push esp; ret
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 2_2_029E4316 push ds; iretd
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 2_2_029E1328 push esp; ret
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 2_2_029E1321 push eax; iretd
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 2_2_029E0005 push cs; retf
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 2_2_029E0078 push cs; retf
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 2_2_029E3DDD push ss; retf
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 2_2_029E3DD5 push ss; retf
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 2_2_029E5560 push esp; iretd
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E81D0D1 push ecx; ret
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_00560078 push cs; retf
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_00560005 push cs; retf
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_00565560 push esp; iretd
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_00563DD5 push ss; retf
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_00563DDD push ss; retf
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_00564E50 push B1CC20AFh; ret
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_00565276 push esp; ret
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_00564316 push ds; iretd
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_00561321 push eax; iretd
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_00561328 push esp; ret
        Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exeCode function: 0_2_00FC2DAE GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,
        Source: initial sampleStatic PE information: section name: .text entropy: 7.1128813164
        Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeJump to dropped file
        Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exeCode function: 0_2_00FC1910 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,
        Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion:

        barindex
        Tries to detect Any.runShow sources
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeFile opened: C:\Program Files\qga\qga.exe
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeFile opened: C:\Program Files\qga\qga.exe
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: Semiha.exe, 00000019.00000002.779387050.00000000021D0000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=HTTPS://DRIVE.GOOGLE.COM/UC?EXPORT=DOWNLOAD&ID=1VQWZ_R4BQMLYR0EWMVVJ53NSYRGJMPKL
        Source: Semiha.exe, 00000002.00000002.482151039.0000000002B20000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779387050.00000000021D0000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
        Source: Semiha.exe, 00000002.00000002.482151039.0000000002B20000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
        Tries to detect virtualization through RDTSC time measurementsShow sources
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E7F6A60 rdtscp
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exeCode function: 0_2_00FC532F GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,
        Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exeCode function: 0_2_00FC21E7 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeSystem information queried: ModuleInformation
        Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exeFile opened: C:\Users\user~1\
        Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exeFile opened: C:\Users\user~1\AppData\Local\Temp\
        Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exeFile opened: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\
        Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exeFile opened: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Semiha.exe
        Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exeFile opened: C:\Users\user~1\AppData\Local\
        Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exeFile opened: C:\Users\user~1\AppData\
        Source: explorer.exe, 0000001C.00000002.771094420.0000000008A32000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
        Source: explorer.exe, 0000001C.00000002.771094420.0000000008A32000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
        Source: Semiha.exe, 00000002.00000002.482205968.0000000002C3A000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
        Source: Semiha.exe, 00000002.00000002.482205968.0000000002C3A000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
        Source: Semiha.exe, 00000019.00000003.742387045.000000000091D000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779208842.000000000091D000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW-
        Source: explorer.exe, 0000001C.00000002.771382701.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
        Source: Semiha.exe, 00000002.00000002.482205968.0000000002C3A000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service
        Source: Semiha.exe, 00000019.00000003.742387045.000000000091D000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779208842.000000000091D000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
        Source: explorer.exe, 0000001C.00000000.752050950.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
        Source: Semiha.exe, 00000002.00000002.482151039.0000000002B20000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779387050.00000000021D0000.00000004.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
        Source: Semiha.exe, 00000002.00000002.482205968.0000000002C3A000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Heartbeat Service
        Source: Semiha.exe, 00000002.00000002.482205968.0000000002C3A000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
        Source: Semiha.exe, 00000002.00000002.482151039.0000000002B20000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
        Source: explorer.exe, 0000001C.00000002.771382701.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
        Source: Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmpBinary or memory string: vmicshutdown
        Source: explorer.exe, 0000001C.00000002.766113713.00000000048E0000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: Semiha.exe, 00000002.00000002.482205968.0000000002C3A000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
        Source: explorer.exe, 0000001C.00000000.752050950.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
        Source: explorer.exe, 0000001C.00000002.771382701.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
        Source: Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmpBinary or memory string: vmicvss
        Source: Semiha.exe, 00000019.00000002.779387050.00000000021D0000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=https://drive.google.com/uc?export=download&id=1vqWz_R4BQMLYr0EwMvVJ53NsyRGjMpKl
        Source: explorer.exe, 0000001C.00000002.768967562.00000000069DA000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD002
        Source: Semiha.exe, 00000002.00000002.482205968.0000000002C3A000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Service
        Source: Semiha.exe, 00000002.00000002.482205968.0000000002C3A000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface
        Source: Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmpBinary or memory string: vmicheartbeat

        Anti Debugging:

        barindex
        Hides threads from debuggersShow sources
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeThread information set: HideFromDebugger
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exeCode function: 0_2_00FC2DAE GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E7F6A60 rdtscp
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeProcess token adjusted: Debug
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 2_2_029EBA69 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 2_2_029EC093 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 2_2_029E9CA7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E85FE87 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E7D766D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E8446A7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E890EA5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E890EA5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E890EA5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E7C9240 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E7C9240 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E7C9240 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E7C9240 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E87FEC0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E7CE620 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E898ED6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E7CC600 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E7CC600 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E7CC600 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E7F16E0 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E7D76E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E7F36CC mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E87FE3F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E7C52A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E7C52A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E7C52A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E7C52A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E7C52A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E87B260 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E87B260 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E7FD294 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E7FD294 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E80927A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E88138A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E7CDB60 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E7CF358 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E895BA5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exeCode function: 25_2_1E7CDB40 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe<