Windows Analysis Report
qpwx2wT5ky.exe

Overview

General Information

Sample Name:	qpwx2wT5ky.exe
Analysis ID:	562520
MD5:	c22c0fdbc19dcd4838709bbaca921f56
SHA1:	4cd9280315ce4ff97cdb95d7dd6d8fcb7715f292
SHA256:	d72ff8708ffeb9a95f559828938dc1439884e7c224579127418e285b1aa1d235
Tags:	exeRaccoonStealer
Infos:

Detection

Raccoon

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected UAC Bypass using CMSTP

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Yara detected Raccoon Stealer

Antivirus detection for URL or domain

Writes to foreign memory regions

.NET source code references suspicious native API functions

Contains functionality to hide user accounts

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Contains functionality to steal Internet Explorer form passwords

Allocates memory in foreign processes

Injects a PE file into a foreign processes

.NET source code contains very large array initializations

C2 URLs / IPs found in malware configuration

Moves itself to temp directory

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to record screenshots

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

Contains functionality to read the PEB

Checks if the current process is being debugged

Found large amount of non-executed APIs

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: qpwx2wT5ky.exe	Virustotal: Detection: 47%	Perma Link
Source: qpwx2wT5ky.exe	Metadefender: Detection: 23%	Perma Link
Source: qpwx2wT5ky.exe	ReversingLabs: Detection: 66%

Yara detected Raccoon Stealer

Source: Yara match	File source: 2.2.LaunchWinApp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.LaunchWinApp.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.LaunchWinApp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.LaunchWinApp.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.LaunchWinApp.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.qpwx2wT5ky.exe.468cf00.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.LaunchWinApp.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.LaunchWinApp.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.LaunchWinApp.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.LaunchWinApp.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.LaunchWinApp.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.LaunchWinApp.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.LaunchWinApp.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.LaunchWinApp.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.LaunchWinApp.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.qpwx2wT5ky.exe.468cf00.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.LaunchWinApp.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.LaunchWinApp.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.LaunchWinApp.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.LaunchWinApp.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.318536230.0000000004271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.308435428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.503612673.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.308711684.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.309062654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.308140277.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.320185486.000000000468C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.467738406.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.309415722.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.467293779.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: qpwx2wT5ky.exe PID: 6428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: LaunchWinApp.exe PID: 5980, type: MEMORYSTR

Antivirus detection for URL or domain

Source: http://185.163.204.22/hdm3prapor	Avira URL Cloud: Label: malware
Source: http://188.166.1.115/hdm3prapor	Avira URL Cloud: Label: malware

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_00410327 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,CryptUnprotectData,	2_2_00410327
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_0040E6DD __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,	2_2_0040E6DD
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_0040CB3A __EH_prolog,BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,LocalAlloc,BCryptDecrypt,BCryptCloseAlgorithmProvider,BCryptDestroyKey,	2_2_0040CB3A
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_00428EC4 CryptAcquireContextA,CryptCreateHash,lstrlenW,CryptHashData,CryptGetHashParam,wsprintfW,lstrcatW,wsprintfW,lstrcatW,CryptDestroyHash,CryptReleaseContext,lstrlenW,CryptUnprotectData,LocalFree,	2_2_00428EC4
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_00434EB9 lstrlenW,lstrlenW,lstrlenW,CryptUnprotectData,LocalFree,lstrlenW,lstrlenW,lstrlenW,wsprintfA,lstrlenA,	2_2_00434EB9
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_00429097 lstrlenW,lstrlenW,lstrlenW,CredEnumerateW,CryptUnprotectData,LocalFree,CredFree,	2_2_00429097
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_0040F186 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,CryptUnprotectData,	2_2_0040F186
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_0040D1A3 __EH_prolog,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,CryptUnprotectData,	2_2_0040D1A3
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_0041FC20 __EH_prolog,_strlen,CryptStringToBinaryA,	2_2_0041FC20

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 0.3.qpwx2wT5ky.exe.46615d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.qpwx2wT5ky.exe.31bbfc0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.qpwx2wT5ky.exe.3170000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qpwx2wT5ky.exe.45615b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qpwx2wT5ky.exe.4615610.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.qpwx2wT5ky.exe.3170000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qpwx2wT5ky.exe.4615610.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.318536230.0000000004271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.301171439.0000000004615000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.317108118.0000000003170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.301603484.0000000005962000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.301092646.000000000452D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: qpwx2wT5ky.exe PID: 6428, type: MEMORYSTR

Compliance

Uses 32bit PE files

Source: qpwx2wT5ky.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: qpwx2wT5ky.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000010.00000003.485267458.0000000005751000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000010.00000003.485267458.0000000005751000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ktmw32.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nsi.pdb_ source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000010.00000003.485267458.0000000005751000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000010.00000003.485368691.0000000005722000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000010.00000003.485267458.0000000005751000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000010.00000003.485368691.0000000005722000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000010.00000003.485267458.0000000005751000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000010.00000003.485267458.0000000005751000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000010.00000003.485368691.0000000005722000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485613034.0000000005725000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000010.00000003.485599339.0000000005720000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000010.00000003.485267458.0000000005751000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000010.00000003.485267458.0000000005751000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.473103575.00000000053B3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: userenv.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000010.00000003.485267458.0000000005751000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: iphlpapi.pdbe source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: gdiplus.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000010.00000003.485267458.0000000005751000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000010.00000003.485368691.0000000005722000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Kernel.Appcore.pdbf source: WerFault.exe, 00000010.00000003.485599339.0000000005720000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: webio.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wsspicli.pdbk source: WerFault.exe, 00000010.00000003.485368691.0000000005722000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485613034.0000000005725000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000010.00000003.485599339.0000000005720000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000010.00000003.485368691.0000000005722000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485613034.0000000005725000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 00000010.00000003.485368691.0000000005722000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000010.00000003.485599339.0000000005720000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000010.00000003.485599339.0000000005720000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000010.00000003.485599339.0000000005720000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000010.00000003.485267458.0000000005751000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernelbase.pdb source: WerFault.exe, 00000010.00000002.502132177.0000000002F52000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: c:\TFS\DevDiv\OC-CT-Main23Rel-Dev14\src\src\Waverton\Cct.Contracts.Public\obj\VS140\Release\Release\Microsoft.VisualStudio.WindowsAzure.Contracts.2.3.pdb source: qpwx2wT5ky.exe
Source:	Binary string: cryptbase.pdbk source: WerFault.exe, 00000010.00000003.485368691.0000000005722000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485613034.0000000005725000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_004604F2 FindFirstFileExW,		2_2_004604F2
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_0043F85B FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,		2_2_0043F85B

Source: C:\Windows\SysWOW64\LaunchWinApp.exe

Code function: 2_2_0043615F __EH_prolog,GetLogicalDriveStringsA,

2_2_0043615F

Networking

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2034960 ET TROJAN Win32.Raccoon Stealer Checkin M6 194.180.174.147:80 -> 192.168.2.3:49814

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://188.166.1.115/hdm3prapor
Source: Malware configuration extractor	URLs: http://91.219.236.139/hdm3prapor
Source: Malware configuration extractor	URLs: http://194.180.174.147/hdm3prapor
Source: Malware configuration extractor	URLs: http://185.3.95.153/hdm3prapor
Source: Malware configuration extractor	URLs: http://185.163.204.22/hdm3prapor
Source: Malware configuration extractor	URLs: https://t.me/hdm3prapor

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /hdm3prapor HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: 188.166.1.115
Source: global traffic	HTTP traffic detected: GET /hdm3prapor HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: 188.166.1.115
Source: global traffic	HTTP traffic detected: GET /hdm3prapor HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: 194.180.174.147
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 159.223.25.220

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 188.166.1.115 188.166.1.115

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 28 Jan 2022 23:12:35 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: a2<html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0

Source: unknown	TCP traffic detected without corresponding DNS query: 188.166.1.115
Source: unknown	TCP traffic detected without corresponding DNS query: 188.166.1.115
Source: unknown	TCP traffic detected without corresponding DNS query: 188.166.1.115
Source: unknown	TCP traffic detected without corresponding DNS query: 188.166.1.115
Source: unknown	TCP traffic detected without corresponding DNS query: 188.166.1.115
Source: unknown	TCP traffic detected without corresponding DNS query: 188.166.1.115
Source: unknown	TCP traffic detected without corresponding DNS query: 188.166.1.115
Source: unknown	TCP traffic detected without corresponding DNS query: 188.166.1.115
Source: unknown	TCP traffic detected without corresponding DNS query: 91.219.236.139
Source: unknown	TCP traffic detected without corresponding DNS query: 91.219.236.139
Source: unknown	TCP traffic detected without corresponding DNS query: 91.219.236.139
Source: unknown	TCP traffic detected without corresponding DNS query: 91.219.236.139
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.147
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.147
Source: unknown	TCP traffic detected without corresponding DNS query: 159.223.25.220
Source: unknown	TCP traffic detected without corresponding DNS query: 159.223.25.220
Source: unknown	TCP traffic detected without corresponding DNS query: 159.223.25.220
Source: unknown	TCP traffic detected without corresponding DNS query: 159.223.25.220
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.147
Source: unknown	TCP traffic detected without corresponding DNS query: 159.223.25.220
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.174.147
Source: unknown	TCP traffic detected without corresponding DNS query: 159.223.25.220

Source: WerFault.exe, 00000010.00000002.503229027.0000000005329000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.500486218.0000000005329000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Amcache.hve.16.dr	String found in binary or memory: http://upx.sf.net

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 159.223.25.220

Source: global traffic	HTTP traffic detected: GET /hdm3prapor HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: 188.166.1.115
Source: global traffic	HTTP traffic detected: GET /hdm3prapor HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: 188.166.1.115
Source: global traffic	HTTP traffic detected: GET /hdm3prapor HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: 194.180.174.147

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to record screenshots

Source: C:\Windows\SysWOW64\LaunchWinApp.exe

Code function: 2_2_0042B173 __EH_prolog,GdiplusStartup,GetDesktopWindow,GetWindowRect,GetWindowDC,GetDeviceCaps,CreateCompatibleDC,CreateDIBSection,DeleteDC,DeleteDC,DeleteDC,SaveDC,SelectObject,BitBlt,RestoreDC,DeleteDC,DeleteDC,DeleteDC,GdipAlloc,GdipCreateBitmapFromHBITMAP,_mbstowcs,GdipSaveImageToFile,DeleteObject,GdiplusShutdown,

2_2_0042B173

E-Banking Fraud

Yara detected Raccoon Stealer

Source: Yara match	File source: 2.2.LaunchWinApp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.LaunchWinApp.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.LaunchWinApp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.LaunchWinApp.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.LaunchWinApp.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.qpwx2wT5ky.exe.468cf00.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.LaunchWinApp.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.LaunchWinApp.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.LaunchWinApp.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.LaunchWinApp.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.LaunchWinApp.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.LaunchWinApp.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.LaunchWinApp.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.LaunchWinApp.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.LaunchWinApp.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.qpwx2wT5ky.exe.468cf00.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.LaunchWinApp.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.LaunchWinApp.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.LaunchWinApp.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.LaunchWinApp.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.318536230.0000000004271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.308435428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.503612673.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.308711684.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.309062654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.308140277.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.320185486.000000000468C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.467738406.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.309415722.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.467293779.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: qpwx2wT5ky.exe PID: 6428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: LaunchWinApp.exe PID: 5980, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.3.qpwx2wT5ky.exe.46615d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 0.3.qpwx2wT5ky.exe.46615d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 0.3.qpwx2wT5ky.exe.46615d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.3.qpwx2wT5ky.exe.46615d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 2.2.LaunchWinApp.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Raccoon stealer payload Author: ditekSHen
Source: 2.0.LaunchWinApp.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Raccoon stealer payload Author: ditekSHen
Source: 2.0.LaunchWinApp.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Raccoon stealer payload Author: ditekSHen
Source: 2.0.LaunchWinApp.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Raccoon stealer payload Author: ditekSHen
Source: 0.2.qpwx2wT5ky.exe.31bbfc0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 0.2.qpwx2wT5ky.exe.31bbfc0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 0.2.qpwx2wT5ky.exe.31bbfc0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.qpwx2wT5ky.exe.31bbfc0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.qpwx2wT5ky.exe.3170000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 0.2.qpwx2wT5ky.exe.3170000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 0.2.qpwx2wT5ky.exe.3170000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.qpwx2wT5ky.exe.3170000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 2.0.LaunchWinApp.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Raccoon stealer payload Author: ditekSHen
Source: 0.2.qpwx2wT5ky.exe.468cf00.3.raw.unpack, type: UNPACKEDPE	Matched rule: Raccoon stealer payload Author: ditekSHen
Source: 2.0.LaunchWinApp.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Raccoon stealer payload Author: ditekSHen
Source: 2.2.LaunchWinApp.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Raccoon stealer payload Author: ditekSHen
Source: 2.0.LaunchWinApp.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Raccoon stealer payload Author: ditekSHen
Source: 2.0.LaunchWinApp.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Raccoon stealer payload Author: ditekSHen
Source: 2.0.LaunchWinApp.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Raccoon stealer payload Author: ditekSHen
Source: 2.0.LaunchWinApp.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Raccoon stealer payload Author: ditekSHen
Source: 2.0.LaunchWinApp.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Raccoon stealer payload Author: ditekSHen
Source: 2.0.LaunchWinApp.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Raccoon stealer payload Author: ditekSHen
Source: 0.3.qpwx2wT5ky.exe.45615b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 0.3.qpwx2wT5ky.exe.45615b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 0.3.qpwx2wT5ky.exe.45615b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.3.qpwx2wT5ky.exe.45615b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.3.qpwx2wT5ky.exe.4615610.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 0.3.qpwx2wT5ky.exe.4615610.3.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 0.3.qpwx2wT5ky.exe.4615610.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.3.qpwx2wT5ky.exe.4615610.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 2.0.LaunchWinApp.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Raccoon stealer payload Author: ditekSHen
Source: 0.2.qpwx2wT5ky.exe.468cf00.3.unpack, type: UNPACKEDPE	Matched rule: Raccoon stealer payload Author: ditekSHen
Source: 0.2.qpwx2wT5ky.exe.3170000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 0.2.qpwx2wT5ky.exe.3170000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 0.2.qpwx2wT5ky.exe.3170000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.qpwx2wT5ky.exe.3170000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 2.0.LaunchWinApp.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Raccoon stealer payload Author: ditekSHen
Source: 2.0.LaunchWinApp.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Raccoon stealer payload Author: ditekSHen
Source: 2.0.LaunchWinApp.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Raccoon stealer payload Author: ditekSHen
Source: 2.0.LaunchWinApp.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Raccoon stealer payload Author: ditekSHen
Source: 0.3.qpwx2wT5ky.exe.4615610.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 0.3.qpwx2wT5ky.exe.4615610.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 0.3.qpwx2wT5ky.exe.4615610.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.3.qpwx2wT5ky.exe.4615610.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 00000002.00000000.308435428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Raccoon stealer payload Author: ditekSHen
Source: 00000002.00000002.503612673.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Raccoon stealer payload Author: ditekSHen
Source: 00000002.00000000.308711684.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Raccoon stealer payload Author: ditekSHen
Source: 00000002.00000000.309062654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Raccoon stealer payload Author: ditekSHen
Source: 00000002.00000000.308140277.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Raccoon stealer payload Author: ditekSHen
Source: 00000000.00000002.317108118.0000000003170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 00000000.00000002.317108118.0000000003170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 00000000.00000002.317108118.0000000003170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 00000000.00000002.317108118.0000000003170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 00000002.00000000.467738406.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Raccoon stealer payload Author: ditekSHen
Source: 00000002.00000000.309415722.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Raccoon stealer payload Author: ditekSHen
Source: 00000002.00000000.467293779.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Raccoon stealer payload Author: ditekSHen

.NET source code contains very large array initializations

Source: qpwx2wT5ky.exe, OuCPJ4q0f2/D5GjPfY8gl.cs

Large array initialization: h6MujDbFZc: array initializer size 917520

Uses 32bit PE files

Source: qpwx2wT5ky.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 0.3.qpwx2wT5ky.exe.46615d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 0.3.qpwx2wT5ky.exe.46615d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 0.3.qpwx2wT5ky.exe.46615d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.3.qpwx2wT5ky.exe.46615d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 2.2.LaunchWinApp.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload
Source: 2.0.LaunchWinApp.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload
Source: 2.0.LaunchWinApp.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload
Source: 2.0.LaunchWinApp.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload
Source: 0.2.qpwx2wT5ky.exe.31bbfc0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 0.2.qpwx2wT5ky.exe.31bbfc0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 0.2.qpwx2wT5ky.exe.31bbfc0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.qpwx2wT5ky.exe.31bbfc0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.qpwx2wT5ky.exe.3170000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 0.2.qpwx2wT5ky.exe.3170000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 0.2.qpwx2wT5ky.exe.3170000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.qpwx2wT5ky.exe.3170000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 2.0.LaunchWinApp.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload
Source: 0.2.qpwx2wT5ky.exe.468cf00.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload
Source: 2.0.LaunchWinApp.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload
Source: 2.2.LaunchWinApp.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload
Source: 2.0.LaunchWinApp.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload
Source: 2.0.LaunchWinApp.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload
Source: 2.0.LaunchWinApp.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload
Source: 2.0.LaunchWinApp.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload
Source: 2.0.LaunchWinApp.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload
Source: 2.0.LaunchWinApp.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload
Source: 0.3.qpwx2wT5ky.exe.45615b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 0.3.qpwx2wT5ky.exe.45615b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 0.3.qpwx2wT5ky.exe.45615b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.3.qpwx2wT5ky.exe.45615b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.3.qpwx2wT5ky.exe.4615610.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 0.3.qpwx2wT5ky.exe.4615610.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 0.3.qpwx2wT5ky.exe.4615610.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.3.qpwx2wT5ky.exe.4615610.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 2.0.LaunchWinApp.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload
Source: 0.2.qpwx2wT5ky.exe.468cf00.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload
Source: 0.2.qpwx2wT5ky.exe.3170000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 0.2.qpwx2wT5ky.exe.3170000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 0.2.qpwx2wT5ky.exe.3170000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.qpwx2wT5ky.exe.3170000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 2.0.LaunchWinApp.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload
Source: 2.0.LaunchWinApp.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload
Source: 2.0.LaunchWinApp.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload
Source: 2.0.LaunchWinApp.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload
Source: 0.3.qpwx2wT5ky.exe.4615610.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 0.3.qpwx2wT5ky.exe.4615610.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 0.3.qpwx2wT5ky.exe.4615610.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.3.qpwx2wT5ky.exe.4615610.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 00000002.00000000.308435428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload
Source: 00000002.00000002.503612673.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload
Source: 00000002.00000000.308711684.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload
Source: 00000002.00000000.309062654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload
Source: 00000002.00000000.308140277.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload
Source: 00000000.00000002.317108118.0000000003170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 00000000.00000002.317108118.0000000003170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 00000000.00000002.317108118.0000000003170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 00000000.00000002.317108118.0000000003170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 00000002.00000000.467738406.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload
Source: 00000002.00000000.309415722.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload
Source: 00000002.00000000.467293779.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload

One or more processes crash

Source: C:\Windows\SysWOW64\LaunchWinApp.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5980 -s 796

Detected potential crypto function

Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Code function: 0_2_017720B0	0_2_017720B0
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Code function: 0_2_0177B548	0_2_0177B548
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Code function: 0_2_017797A8	0_2_017797A8
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Code function: 0_2_0177784B	0_2_0177784B
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Code function: 0_2_01775FA8	0_2_01775FA8
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Code function: 0_2_0177F160	0_2_0177F160
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Code function: 0_2_0177F120	0_2_0177F120
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Code function: 0_2_0177F1FC	0_2_0177F1FC
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Code function: 0_2_0177F1BA	0_2_0177F1BA
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Code function: 0_2_0177F1A2	0_2_0177F1A2
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Code function: 0_2_0177F0F1	0_2_0177F0F1
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Code function: 0_2_0177B53F	0_2_0177B53F
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Code function: 0_2_0177B538	0_2_0177B538
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Code function: 0_2_0177F512	0_2_0177F512
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Code function: 0_2_0177F971	0_2_0177F971
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Code function: 0_2_0177F939	0_2_0177F939
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Code function: 0_2_0177F9A0	0_2_0177F9A0
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Code function: 0_2_06AA5280	0_2_06AA5280
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Code function: 0_2_06AAB240	0_2_06AAB240
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Code function: 0_2_06AA5E10	0_2_06AA5E10
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Code function: 0_2_06AA0D90	0_2_06AA0D90
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Code function: 0_2_06AA8D48	0_2_06AA8D48
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Code function: 0_2_06AA66A0	0_2_06AA66A0
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Code function: 0_2_06AA6690	0_2_06AA6690
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Code function: 0_2_06AA6648	0_2_06AA6648
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Code function: 0_2_06AA4570	0_2_06AA4570
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Code function: 0_2_06AA4540	0_2_06AA4540
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Code function: 0_2_06AAB230	0_2_06AAB230
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Code function: 0_2_06AA5262	0_2_06AA5262
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Code function: 0_2_06AA60CA	0_2_06AA60CA
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Code function: 0_2_06AA60DC	0_2_06AA60DC
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Code function: 0_2_06AABE28	0_2_06AABE28
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Code function: 0_2_06AA5E00	0_2_06AA5E00
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Code function: 0_2_06AABE18	0_2_06AABE18
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Code function: 0_2_06AA6B1B	0_2_06AA6B1B
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Code function: 0_2_06AA19A1	0_2_06AA19A1
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Code function: 0_2_06AA59E8	0_2_06AA59E8
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Code function: 0_2_06AA59F8	0_2_06AA59F8
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Code function: 0_2_06AA19D8	0_2_06AA19D8
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_00424AE3	2_2_00424AE3
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_0042B39F	2_2_0042B39F
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_0044E1E3	2_2_0044E1E3
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_0041828E	2_2_0041828E
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_00410327	2_2_00410327
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_0041C41C	2_2_0041C41C
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_0040E6DD	2_2_0040E6DD
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_0043670C	2_2_0043670C
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_0045E889	2_2_0045E889
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_00462915	2_2_00462915
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_00416A44	2_2_00416A44
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_0041EA4E	2_2_0041EA4E
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_0043EB1A	2_2_0043EB1A
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_0041CD2C	2_2_0041CD2C
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_0041ADCA	2_2_0041ADCA
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_0044AEC0	2_2_0044AEC0
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_00448F57	2_2_00448F57
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_0045AF13	2_2_0045AF13
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_00410F9C	2_2_00410F9C
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_0045B033	2_2_0045B033
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_0040F186	2_2_0040F186
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_0040D1A3	2_2_0040D1A3
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_00429260	2_2_00429260
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_004652C6	2_2_004652C6
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_0041F3F5	2_2_0041F3F5
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_0043543D	2_2_0043543D
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_0041D56F	2_2_0041D56F
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_00411675	2_2_00411675
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_00443740	2_2_00443740
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_00419719	2_2_00419719
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_004378ED	2_2_004378ED
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_0045D97C	2_2_0045D97C
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_0041D901	2_2_0041D901
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_004219E2	2_2_004219E2
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_0042DB88	2_2_0042DB88
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_00437D4A	2_2_00437D4A
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_0044DD54	2_2_0044DD54
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_0041FDB7	2_2_0041FDB7
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_00429E5B	2_2_00429E5B
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_0044DF86	2_2_0044DF86
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_0043DF8D	2_2_0043DF8D

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: String function: 00468510 appears 179 times
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: String function: 0044FBAF appears 80 times
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: String function: 00440CFA appears 202 times
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: String function: 00414066 appears 194 times
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: String function: 004414A0 appears 58 times

Contains functionality to communicate with device drivers

Source: C:\Windows\SysWOW64\LaunchWinApp.exe

Code function: 2_2_0043FC3C: DeviceIoControl,GetLastError,

2_2_0043FC3C

Sample file is different than original file name gathered from version info

Source: qpwx2wT5ky.exe	Binary or memory string: OriginalFilename vs qpwx2wT5ky.exe
Source: qpwx2wT5ky.exe, 00000000.00000002.319124765.00000000043CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePphG DCj.exe2 vs qpwx2wT5ky.exe
Source: qpwx2wT5ky.exe, 00000000.00000000.296234840.0000000000E23000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameHospital_project.exeR vs qpwx2wT5ky.exe
Source: qpwx2wT5ky.exe, 00000000.00000003.302712970.0000000004953000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePphG DCj.exe2 vs qpwx2wT5ky.exe
Source: qpwx2wT5ky.exe, 00000000.00000003.301171439.0000000004615000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameZakrytyeKupla.exe< vs qpwx2wT5ky.exe
Source: qpwx2wT5ky.exe, 00000000.00000002.319540650.000000000460E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePphG DCj.exe2 vs qpwx2wT5ky.exe
Source: qpwx2wT5ky.exe, 00000000.00000003.301092646.000000000452D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameZakrytyeKupla.exe< vs qpwx2wT5ky.exe
Source: qpwx2wT5ky.exe, 00000000.00000002.319282911.00000000044EC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePphG DCj.exe2 vs qpwx2wT5ky.exe
Source: qpwx2wT5ky.exe, 00000000.00000002.317907078.0000000003431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePphG DCj.exe2 vs qpwx2wT5ky.exe
Source: qpwx2wT5ky.exe, 00000000.00000002.320644906.0000000004717000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePphG DCj.exe2 vs qpwx2wT5ky.exe
Source: qpwx2wT5ky.exe, 00000000.00000003.302587573.0000000004832000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePphG DCj.exe2 vs qpwx2wT5ky.exe
Source: qpwx2wT5ky.exe	Binary or memory string: OriginalFilenameHospital_project.exeR vs qpwx2wT5ky.exe

Source: qpwx2wT5ky.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: qpwx2wT5ky.exe	Virustotal: Detection: 47%
Source: qpwx2wT5ky.exe	Metadefender: Detection: 23%
Source: qpwx2wT5ky.exe	ReversingLabs: Detection: 66%

Source: qpwx2wT5ky.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\qpwx2wT5ky.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\qpwx2wT5ky.exe "C:\Users\user\Desktop\qpwx2wT5ky.exe"
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Process created: C:\Windows\SysWOW64\LaunchWinApp.exe C:\Windows\SysWOW64\LaunchWinApp.exe
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5980 -s 796
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Process created: C:\Windows\SysWOW64\LaunchWinApp.exe C:\Windows\SysWOW64\LaunchWinApp.exe	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5980
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Mutant created: \Sessions\1\BaseNamedObjects\userkO$1iC2$uM3b$M1a

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Code function: 0_2_01775F98 push esp; ret	0_2_01775F99
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Code function: 0_2_06AABA48 push es; retn 0004h	0_2_06AABA0C
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_00468510 push eax; ret	2_2_0046852E
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_0046852F push eax; ret	2_2_00468565
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_00468580 push eax; ret	2_2_00468565
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_00440FB1 push ecx; ret	2_2_00440FC4

Source: qpwx2wT5ky.exe, 00000000.00000002.318536230.0000000004271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
Source: qpwx2wT5ky.exe, 00000000.00000002.318536230.0000000004271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: aREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
Source: qpwx2wT5ky.exe, 00000000.00000003.301171439.0000000004615000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v 3 /t REG_DWORD /d 0
Source: qpwx2wT5ky.exe, 00000000.00000003.301092646.000000000452D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v 3 /t REG_DWORD /d 0
Source: qpwx2wT5ky.exe, 00000000.00000003.301603484.0000000005962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
Source: qpwx2wT5ky.exe, 00000000.00000003.301603484.0000000005962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: aREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v

Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: qpwx2wT5ky.exe, 00000000.00000002.318536230.0000000004271000.00000004.00000800.00020000.00000000.sdmp, qpwx2wT5ky.exe, 00000000.00000003.301603484.0000000005962000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: qpwx2wT5ky.exe, 00000000.00000002.318536230.0000000004271000.00000004.00000800.00020000.00000000.sdmp, qpwx2wT5ky.exe, 00000000.00000003.301171439.0000000004615000.00000004.00000800.00020000.00000000.sdmp, qpwx2wT5ky.exe, 00000000.00000003.301092646.000000000452D000.00000004.00000800.00020000.00000000.sdmp, qpwx2wT5ky.exe, 00000000.00000003.301603484.0000000005962000.00000004.00000800.00020000.00000000.sdmp, qpwx2wT5ky.exe, 00000000.00000002.317216371.0000000003271000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: qpwx2wT5ky.exe, 00000000.00000003.301171439.0000000004615000.00000004.00000800.00020000.00000000.sdmp, qpwx2wT5ky.exe, 00000000.00000003.301092646.000000000452D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL/WINE_GET_UNIX_FILE_NAMEQEMU

Source: C:\Users\user\Desktop\qpwx2wT5ky.exe TID: 4972	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\LaunchWinApp.exe TID: 5452	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\LaunchWinApp.exe TID: 5568	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: Amcache.hve.16.dr	Binary or memory string: VMware
Source: WerFault.exe, 00000010.00000003.500364191.00000000053B6000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.500236208.00000000053B2000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.500024980.00000000053B2000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000010.00000002.503283976.00000000053B8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW6
Source: Amcache.hve.16.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: qpwx2wT5ky.exe, 00000000.00000003.301171439.0000000004615000.00000004.00000800.00020000.00000000.sdmp, qpwx2wT5ky.exe, 00000000.00000003.301092646.000000000452D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WWW /c Microsoft-Hyper-V-Common-Drivers-Package
Source: Amcache.hve.16.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.16.dr	Binary or memory string: VMware, Inc.
Source: qpwx2wT5ky.exe, 00000000.00000003.301603484.0000000005962000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Amcache.hve.16.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: WerFault.exe, 00000010.00000002.503165059.00000000052F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: qpwx2wT5ky.exe, 00000000.00000003.301603484.0000000005962000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: Amcache.hve.16.dr	Binary or memory string: VMware, Inc.me
Source: qpwx2wT5ky.exe, 00000000.00000003.301603484.0000000005962000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Amcache.hve.16.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: qpwx2wT5ky.exe, 00000000.00000003.301092646.000000000452D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareVBoxARun using valid operating systemUSER
Source: Amcache.hve.16.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: qpwx2wT5ky.exe, 00000000.00000003.301092646.000000000452D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREESOFTWARE\VMware, Inc.\VMware Tools
Source: qpwx2wT5ky.exe, 00000000.00000003.301603484.0000000005962000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: qpwx2wT5ky.exe, 00000000.00000003.301603484.0000000005962000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: qpwx2wT5ky.exe, 00000000.00000003.301603484.0000000005962000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: &C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: qpwx2wT5ky.exe, 00000000.00000003.301603484.0000000005962000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: qpwx2wT5ky.exe, 00000000.00000003.301603484.0000000005962000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Amcache.hve.16.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.16.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.16.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.16.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.16.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.16.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.16.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.16.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: qpwx2wT5ky.exe, 00000000.00000003.301603484.0000000005962000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: qpwx2wT5ky.exe, 00000000.00000003.301603484.0000000005962000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: qpwx2wT5ky.exe, 00000000.00000003.301603484.0000000005962000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: )C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: qpwx2wT5ky.exe, 00000000.00000003.301171439.0000000004615000.00000004.00000800.00020000.00000000.sdmp, qpwx2wT5ky.exe, 00000000.00000003.301092646.000000000452D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: kernel32.dll/wine_get_unix_file_nameQEMU
Source: Amcache.hve.16.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: qpwx2wT5ky.exe, 00000000.00000003.301092646.000000000452D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VIRTUALBOXUSOFTWARE\Oracle\VirtualBox Guest Additions!noValueButYesKeySC:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: qpwx2wT5ky.exe, 00000000.00000003.301092646.000000000452D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathKC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\OC:\WINDOWS\system32\drivers\vmmouse.sysMC:\WINDOWS\system32\drivers\vmhgfs.sys
Source: qpwx2wT5ky.exe, 00000000.00000003.301603484.0000000005962000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: "SOFTWARE\VMware, Inc.\VMware Tools
Source: qpwx2wT5ky.exe, 00000000.00000003.301603484.0000000005962000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'C:\WINDOWS\system32\drivers\vmmouse.sys

Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_0045AAC7 mov eax, dword ptr fs:[00000030h]	2_2_0045AAC7
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_0045AAF8 mov eax, dword ptr fs:[00000030h]	2_2_0045AAF8
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_0045AA83 mov eax, dword ptr fs:[00000030h]	2_2_0045AA83
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_00447699 mov eax, dword ptr fs:[00000030h]	2_2_00447699

Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_00441435 SetUnhandledExceptionFilter,	2_2_00441435
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_00446AC8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00446AC8
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_004412D2 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_004412D2
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: 2_2_00441692 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00441692

Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Memory written: C:\Windows\SysWOW64\LaunchWinApp.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Memory written: C:\Windows\SysWOW64\LaunchWinApp.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Memory written: C:\Windows\SysWOW64\LaunchWinApp.exe base: 46E000	Jump to behavior
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Memory written: C:\Windows\SysWOW64\LaunchWinApp.exe base: 488000	Jump to behavior
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Memory written: C:\Windows\SysWOW64\LaunchWinApp.exe base: 48E000	Jump to behavior
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Memory written: C:\Windows\SysWOW64\LaunchWinApp.exe base: 48F000	Jump to behavior
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Memory written: C:\Windows\SysWOW64\LaunchWinApp.exe base: 2BD0008	Jump to behavior

Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Queries volume information: C:\Users\user\Desktop\qpwx2wT5ky.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: __EH_prolog,CoInitialize,GetUserDefaultLCID,GetLocaleInfoA,Sleep,Sleep,GetUserNameA,Sleep,_strlen,_strlen,StrToIntA,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,StrToIntA,CreateThread,CreateThread,WaitForSingleObject,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,CreateThread,CreateThread,GetModuleHandleA,FreeLibrary,WaitForSingleObject,lstrlenA,GetEnvironmentVariableA,ShellExecuteA,ShellExecuteA,CoUninitialize,	2_2_0042B39F
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: EnumSystemLocalesW,	2_2_004586D2
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: GetLocaleInfoW,	2_2_00458CFF
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	2_2_00462E64
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: EnumSystemLocalesW,	2_2_00463151
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: EnumSystemLocalesW,	2_2_00463106
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: EnumSystemLocalesW,	2_2_004631EC
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_00463277
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: GetLocaleInfoW,	2_2_004634CA
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_004635F0
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: GetLocaleInfoW,	2_2_004636F6
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_004637C5
Source: C:\Windows\SysWOW64\LaunchWinApp.exe	Code function: __EH_prolog,_strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA,	2_2_00437D4A

Source: Amcache.hve.LOG1.16.dr, Amcache.hve.16.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.16.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.LOG1.16.dr, Amcache.hve.16.dr	Binary or memory string: procexp.exe

IP	Domain	Country	ASN	ASN Name	Malicious
188.166.1.115	unknown	Netherlands	14061	DIGITALOCEAN-ASNUS	true
159.223.25.220	unknown	United States	46118	CELANESE-US	false
194.180.174.147	unknown	unknown	39798	MIVOCLOUDMD	true
91.219.236.139	unknown	Hungary	56322	SERVERASTRA-ASHU	true

Name	Malicious	Antivirus Detection	Reputation
http://91.219.236.139/hdm3prapor	true	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://185.163.204.22/hdm3prapor	true	Avira URL Cloud: malware	unknown
http://194.180.174.147/hdm3prapor	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://185.3.95.153/hdm3prapor	true	Avira URL Cloud: safe	unknown
http://159.223.25.220/	false	Avira URL Cloud: safe	unknown
https://t.me/hdm3prapor	false		high
http://188.166.1.115/hdm3prapor	true	Avira URL Cloud: malware	unknown

ID:	562520
Product:	CloudBasic
Start time:	00:10:16
Start date:	29.01.2022
Sample:	qpwx2wT5ky.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	c22c0fdbc19dcd4838709bbaca921f56
SHA1:	4cd9280315ce4ff97cdb95d7dd6d8fcb7715f292
SHA256:	d72ff8708ffeb9a95f559828938dc1439884e7c224579127418e285b1aa1d235
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_LaunchWinApp.exe_774587b722d421177778692fbd3ea27ebb729dee_d75afd38_16ec8da7\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	704712E4245884343C1B53D933E0FF6A	735EC03A19C628348BA75BED82093B1B0CE7A212	0E75A303D3BCF10BF5A5769CFF6CB03ADF0D7C65B06302790B3033433224CDC5
C:\ProgramData\Microsoft\Windows\WER\Temp\WER118.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	DB040076D87CFF2B5E68679D4C1ED53F	66CFADBBF5D16B035B0C6215E2CAAF02A43017DD	833EAB64A8B988574F0F3A7AD22F53D47CBE0EAB44B9A3E962EA9D4280202B8F
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6C6.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	D1AF0BA5079F3DE14DD7E8051DFB5C05	97CC0473AD86735F7F628D6888D4D956CE106184	D0C5DD19873B1D9B87B8571680CD3F82DA7FCF7B31DBCC54CB35C764ECAD1B9A
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREDED.tmp.dmp	Mini DuMP crash report, 15 streams, Sat Jan 29 08:13:37 2022, 0x1205a4 type	416A11DCE14D66C77506CE1A74542009	DEA54DFEEF7500324613857BE92392FA40A61202	69AF6348A49402738E7EE52678C15E76C67FA123319B11CF32DED5509A324434
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\qpwx2wT5ky.exe.log	ASCII text, with CRLF line terminators	C090C3A5090FDB569FD50003722EDAD4	878B12213721F0ED188986C03408AEFBD2F0D1AE	3D04A30D0B4C7F044488F425F4BBC78573B5AB98B9586A9C99D3760E11ED4955
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	8CE94B0FFC9D2328821B50E5A619DD53	5F11244FC9C2919CD1E345339803F44F06F0EEAF	FD946DB2798FB9ACA18A737898A1CA66C1BA34B9C6AD92FB637CA39822D6B6E5
C:\Windows\appcompat\Programs\Amcache.hve.LOG1	MS Windows registry file, NT/2000 or above	216E7FDAF7B821B8B2C10D83992D0236	9FDF64BF1DE8E4F7493FBBD25268F6320306BFD1	218E0B0C02C620819688CA35F8A0A43A10B1424BE922FF80F26A6666976977ED

Windows Analysis Report qpwx2wT5ky.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
qpwx2wT5ky.exe