Windows Analysis Report 45I8GbQlUj

Overview

General Information

Sample Name: 45I8GbQlUj (renamed file extension from none to exe)
Analysis ID: 553487
MD5: 1b1e4286625bb189a526e910f2031c7b
SHA1: 650c0550f12c65d9841d10ab589ff39261018957
SHA256: c9d7cb68dec80469c3c03b0e90c7af1972462ca7779424db3bfd9d44aebaa624
Tags: 32exe
Infos:

Most interesting Screenshot:

Detection

Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Multi AV Scanner detection for dropped file
Machine Learning detection for sample
.NET source code contains potential unpacker
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Drops PE files with benign system names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Internet Provider seen in connection with other malware
Stores large binary data to the registry
Stores files to the Windows start menu directory
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Dropped file seen in connection with other malware

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: 45I8GbQlUj.exe Virustotal: Detection: 24% Perma Link
Source: 45I8GbQlUj.exe ReversingLabs: Detection: 20%
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\svchost.exe Virustotal: Detection: 24% Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\svchost.exe ReversingLabs: Detection: 20%
Machine Learning detection for sample
Source: 45I8GbQlUj.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\svchost.exe Joe Sandbox ML: detected
Source: 45I8GbQlUj.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.4:49760 -> 74.201.28.62:80
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DEDIPATH-LLCUS DEDIPATH-LLCUS
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /book/KB5009812.png HTTP/1.1Host: 74.201.28.62Connection: Keep-Alive
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49800 -> 74.201.28.62:5586
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknown TCP traffic detected without corresponding DNS query: 74.201.28.62
Source: 45I8GbQlUj.exe, svchost.exe.0.dr String found in binary or memory: http://74.201.28.62/book/KB5009812.png
Source: global traffic HTTP traffic detected: GET /book/KB5009812.png HTTP/1.1Host: 74.201.28.62Connection: Keep-Alive

System Summary:

barindex
Sample file is different than original file name gathered from version info
Source: 45I8GbQlUj.exe, 00000000.00000003.774232886.000000001B822000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameKB5009812.exe. vs 45I8GbQlUj.exe
Source: 45I8GbQlUj.exe, 00000000.00000000.650035857.0000000000452000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameKB5009812.exe. vs 45I8GbQlUj.exe
Source: 45I8GbQlUj.exe, 00000000.00000003.774253369.000000001B829000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameKB5009812.exe. vs 45I8GbQlUj.exe
Source: 45I8GbQlUj.exe Binary or memory string: OriginalFilenameKB5009812.exe. vs 45I8GbQlUj.exe
PE file contains strange resources
Source: 45I8GbQlUj.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: svchost.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\svchost.exe C9D7CB68DEC80469C3C03B0E90C7AF1972462CA7779424DB3BFD9D44AEBAA624
Source: 45I8GbQlUj.exe Virustotal: Detection: 24%
Source: 45I8GbQlUj.exe ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\45I8GbQlUj.exe File read: C:\Users\user\Desktop\45I8GbQlUj.exe Jump to behavior
Source: 45I8GbQlUj.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\45I8GbQlUj.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\45I8GbQlUj.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\svchost.exe Jump to behavior
Source: classification engine Classification label: mal92.evad.winEXE@1/2@0/1
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Mutant created: \Sessions\1\BaseNamedObjects\EBA27E1D48D738BA9535923048CE6DEA
Source: C:\Users\user\Desktop\45I8GbQlUj.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: 45I8GbQlUj.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 45I8GbQlUj.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: 45I8GbQlUj.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: 45I8GbQlUj.exe, CoreApi.cs .Net Code: Start System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: svchost.exe.0.dr, CoreApi.cs .Net Code: Start System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.45I8GbQlUj.exe.450000.0.unpack, CoreApi.cs .Net Code: Start System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Binary contains a suspicious time stamp
Source: 45I8GbQlUj.exe Static PE information: 0x964C769C [Sat Nov 27 02:38:20 2049 UTC]

Persistence and Installation Behavior:

barindex
Drops PE files with benign system names
Source: C:\Users\user\Desktop\45I8GbQlUj.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\svchost.exe Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\45I8GbQlUj.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\svchost.exe Jump to dropped file

Boot Survival:

barindex
Creates an undocumented autostart registry key
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\45I8GbQlUj.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\svchost.exe Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\svchost.exe\:Zone.Identifier:$DATA Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Stores large binary data to the registry
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Key value created or modified: HKEY_CURRENT_USER\Software\EBA27E1D48D738BA9535923048CE6DEA Plugin Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Users\user\Desktop\45I8GbQlUj.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\45I8GbQlUj.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\45I8GbQlUj.exe TID: 4600 Thread sleep time: -35000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe TID: 6508 Thread sleep time: -20291418481080494s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe TID: 6508 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe TID: 4600 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Window / User API: threadDelayed 2504 Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Window / User API: threadDelayed 7303 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\45I8GbQlUj.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\45I8GbQlUj.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: 45I8GbQlUj.exe, 00000000.00000003.662613955.0000000000A90000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Memory allocated: page read and write | page guard Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Queries volume information: C:\Users\user\Desktop\45I8GbQlUj.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\45I8GbQlUj.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
74.201.28.62
 unknown United States
35913 DEDIPATH-LLCUS true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://74.201.28.62/book/KB5009812.png true
  • Avira URL Cloud: safe
 unknown