Windows Analysis Report
qjrOWCCE58

Overview

General Information

Sample Name: qjrOWCCE58 (renamed file extension from none to exe)
Analysis ID: 620693
MD5: 732132623989caae367e0878298b7e9b
SHA1: e493be600aa8ecf7384ac3f23454daf6fdd1821d
SHA256: 32f431ba791fcd1f53e53b26447c9dbf59983549f567bac43ea9578b98de4ca8
Tags: 32exetrojan
Infos:

Detection

Nymaim
Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Nymaim
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Uses 32bit PE files
One or more processes crash
PE file contains strange resources
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Uses taskkill to terminate processes
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to detect sandboxes (foreground window change detection)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Creates a process in suspended mode (likely to inject code)
Enables debug privileges

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: qjrOWCCE58.exe Virustotal: Detection: 33% Perma Link
Source: qjrOWCCE58.exe ReversingLabs: Detection: 50%
Machine Learning detection for sample
Source: qjrOWCCE58.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_00403050 CryptAcquireContextW,CryptCreateHash,_mbstowcs,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,___std_exception_copy, 0_2_00403050
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_008232B7 CryptAcquireContextW,CryptCreateHash,_mbstowcs,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,___std_exception_copy, 0_2_008232B7
Uses 32bit PE files
Source: qjrOWCCE58.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\qjrOWCCE58.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: Binary string: C:\ciyicu.pdb source: qjrOWCCE58.exe
Source: Binary string: *'9C:\ciyicu.pdb source: qjrOWCCE58.exe
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_00403D70 Sleep,Sleep,FindFirstFileA,FindNextFileA,Sleep,FindNextFileA,FindClose,Sleep,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer, 0_2_00403D70
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_004225FD FindFirstFileExW, 0_2_004225FD
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_00842864 FindFirstFileExW, 0_2_00842864
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_00823FD7 FindFirstFileA,FindClose,GetTempPathA,__Init_thread_footer,GetTempPathA,__Init_thread_footer,GetTempPathA,__Init_thread_footer,GetTempPathA,__Init_thread_footer, 0_2_00823FD7
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_00401420 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar, 0_2_00401420

E-Banking Fraud
barindex
Yara detected Nymaim
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.20.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qjrOWCCE58.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.27.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.20.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.28.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.27.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qjrOWCCE58.exe.820e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.26.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.qjrOWCCE58.exe.860000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.25.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.qjrOWCCE58.exe.860000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qjrOWCCE58.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qjrOWCCE58.exe.820e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.28.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.269341375.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.283327894.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.262759789.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.253715249.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.280137430.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.253175312.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.302456596.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.291073585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.283828611.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.263480015.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.284150109.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.301360286.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.302642354.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250452760.0000000000860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.254142123.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.292136739.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.301881203.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.269598460.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.262441622.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.263212749.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.309005504.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.309602192.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.309769483.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.291503648.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.270183524.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.292619266.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.252534472.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.269963050.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.309168636.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Uses 32bit PE files
Source: qjrOWCCE58.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
One or more processes crash
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 656
PE file contains strange resources
Source: qjrOWCCE58.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: qjrOWCCE58.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: qjrOWCCE58.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: qjrOWCCE58.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Detected potential crypto function
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_00407FB0 0_2_00407FB0
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_00404800 0_2_00404800
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_00402800 0_2_00402800
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_00425020 0_2_00425020
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_004138A3 0_2_004138A3
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_00404120 0_2_00404120
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_0040F240 0_2_0040F240
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_00413AD5 0_2_00413AD5
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_0042936A 0_2_0042936A
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_00420B79 0_2_00420B79
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_00420458 0_2_00420458
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_00417CE0 0_2_00417CE0
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_0042948A 0_2_0042948A
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_00403D70 0_2_00403D70
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_00427509 0_2_00427509
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_00431D94 0_2_00431D94
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_00404620 0_2_00404620
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_00404FB0 0_2_00404FB0
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_00824887 0_2_00824887
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_008269F6 0_2_008269F6
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_00845287 0_2_00845287
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_00828217 0_2_00828217
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_00824A67 0_2_00824A67
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_00824387 0_2_00824387
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_00825BAE 0_2_00825BAE
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_00833B0A 0_2_00833B0A
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_0082F4A7 0_2_0082F4A7
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_008495D1 0_2_008495D1
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_00833D3C 0_2_00833D3C
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_008406BF 0_2_008406BF
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_00837EE0 0_2_00837EE0
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_008496F1 0_2_008496F1
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_00823FD7 0_2_00823FD7
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_0082671B 0_2_0082671B
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: String function: 0040E1D0 appears 54 times
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: String function: 0082E437 appears 54 times
PE file contains executable resources (Code or Archives)
Source: qjrOWCCE58.exe Static PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
Source: qjrOWCCE58.exe Virustotal: Detection: 33%
Source: qjrOWCCE58.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_004024E0 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree, 0_2_004024E0
Source: qjrOWCCE58.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\qjrOWCCE58.exe "C:\Users\user\Desktop\qjrOWCCE58.exe"
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 656
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 772
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 796
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 628
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 908
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 916
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "qjrOWCCE58.exe" /f & erase "C:\Users\user\Desktop\qjrOWCCE58.exe" & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "qjrOWCCE58.exe" /f
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "qjrOWCCE58.exe" /f & erase "C:\Users\user\Desktop\qjrOWCCE58.exe" & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "qjrOWCCE58.exe" /f Jump to behavior
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6568:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1592
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "qjrOWCCE58.exe")
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Command line argument: `a}{ 0_2_00407FB0
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Command line argument: MFE. 0_2_00407FB0
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Command line argument: ZK]Z 0_2_00407FB0
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Command line argument: ZK]Z 0_2_00407FB0
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Command line argument: 0|C 0_2_00828217
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Command line argument: `a}{ 0_2_00828217
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Command line argument: MFE. 0_2_00828217
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Command line argument: ZK]Z 0_2_00828217
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Command line argument: ZK]Z 0_2_00828217
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERE842.tmp Jump to behavior
Source: classification engine Classification label: mal60.troj.evad.winEXE@12/28@0/0
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_00401420 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar, 0_2_00401420
Source: C:\Users\user\Desktop\qjrOWCCE58.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\qjrOWCCE58.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: qjrOWCCE58.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\ciyicu.pdb source: qjrOWCCE58.exe
Source: Binary string: *'9C:\ciyicu.pdb source: qjrOWCCE58.exe
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_0042F1A5 push esi; ret 0_2_0042F1AE
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_0040DCAA push ecx; ret 0_2_0040DCBD
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_0042B611 push esp; iretd 0_2_0042B616
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_0042C746 pushad ; retf 0_2_0042C74D
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_0042C72E push eax; retf 0_2_0042C745
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_0084113F push esp; retf 0_2_00841147
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_0082DF11 push ecx; ret 0_2_0082DF24
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\qjrOWCCE58.exe API coverage: 5.3 %
Contains functionality to detect sandboxes (foreground window change detection)
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: __Init_thread_footer,GetUserNameA,GetUserNameA,__Init_thread_footer,GetUserNameA,__Init_thread_footer,GetUserNameA,GetForegroundWindow,GetWindowTextA,Sleep,Sleep,GetForegroundWindow,GetWindowTextA, 0_2_00404FB0
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_00403D70 Sleep,Sleep,FindFirstFileA,FindNextFileA,Sleep,FindNextFileA,FindClose,Sleep,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer, 0_2_00403D70
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_004225FD FindFirstFileExW, 0_2_004225FD
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_00842864 FindFirstFileExW, 0_2_00842864
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_00823FD7 FindFirstFileA,FindClose,GetTempPathA,__Init_thread_footer,GetTempPathA,__Init_thread_footer,GetTempPathA,__Init_thread_footer,GetTempPathA,__Init_thread_footer, 0_2_00823FD7
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_00411B5B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00411B5B
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_0041637F mov eax, dword ptr fs:[00000030h] 0_2_0041637F
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_0041EBEF mov eax, dword ptr fs:[00000030h] 0_2_0041EBEF
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_0082092B mov eax, dword ptr fs:[00000030h] 0_2_0082092B
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_00820D90 mov eax, dword ptr fs:[00000030h] 0_2_00820D90
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_008365E6 mov eax, dword ptr fs:[00000030h] 0_2_008365E6
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_0083EE56 mov eax, dword ptr fs:[00000030h] 0_2_0083EE56
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_004024E0 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree, 0_2_004024E0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_00402800 SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc, 0_2_00402800
Enables debug privileges
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_00411B5B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00411B5B
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_0040D3C2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0040D3C2
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_0040DDE5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0040DDE5
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_0040DF79 SetUnhandledExceptionFilter, 0_2_0040DF79
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_0082E04C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0082E04C
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_0082E1E0 SetUnhandledExceptionFilter, 0_2_0082E1E0
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_00831DC2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00831DC2
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_0082D629 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0082D629
Uses taskkill to terminate processes
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "qjrOWCCE58.exe" /f Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "qjrOWCCE58.exe" /f & erase "C:\Users\user\Desktop\qjrOWCCE58.exe" & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "qjrOWCCE58.exe" /f Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: EnumSystemLocalesW, 0_2_0042585C
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: EnumSystemLocalesW, 0_2_00425811
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: EnumSystemLocalesW, 0_2_004258F7
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_00425982
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: EnumSystemLocalesW, 0_2_0041CACF
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: GetLocaleInfoW, 0_2_00425BD5
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00425CFB
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_0042556F
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: GetLocaleInfoW, 0_2_00425E01
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: GetKeyboardLayoutList,GetLocaleInfoA,__Init_thread_footer, 0_2_00404620
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00425ED0
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: GetLocaleInfoW, 0_2_0041CFF1
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: GetKeyboardLayoutList,GetLocaleInfoA,__Init_thread_footer, 0_2_00824887
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: GetLocaleInfoW, 0_2_00846068
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00846137
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: EnumSystemLocalesW, 0_2_00845AC3
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: GetLocaleInfoW, 0_2_0083D258
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: EnumSystemLocalesW, 0_2_00845A78
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_00845BE9
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: EnumSystemLocalesW, 0_2_00845B5E
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: EnumSystemLocalesW, 0_2_0083CD36
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: GetLocaleInfoW, 0_2_00845E3C
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_008457D6
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00845F62
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_0040DFE3 cpuid 0_2_0040DFE3
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_00417043 GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 0_2_00417043
Source: C:\Users\user\Desktop\qjrOWCCE58.exe Code function: 0_2_00405840 GetUserNameA,CreateThread,Sleep,Sleep, 0_2_00405840

Stealing of Sensitive Information
barindex
Yara detected Nymaim
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.20.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qjrOWCCE58.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.27.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.20.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.28.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.27.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qjrOWCCE58.exe.820e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.26.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.qjrOWCCE58.exe.860000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.25.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.qjrOWCCE58.exe.860000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qjrOWCCE58.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.qjrOWCCE58.exe.820e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.400000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.qjrOWCCE58.exe.820e67.28.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.269341375.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.283327894.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.262759789.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.253715249.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.280137430.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.253175312.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.302456596.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.291073585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.283828611.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.263480015.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.284150109.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.301360286.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.302642354.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250452760.0000000000860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.254142123.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.292136739.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.301881203.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.269598460.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.262441622.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.263212749.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.309005504.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.309602192.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.309769483.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.291503648.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.270183524.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.292619266.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.252534472.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.269963050.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.309168636.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 620693 Sample: qjrOWCCE58 Startdate: 05/05/2022 Architecture: WINDOWS Score: 60 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected Nymaim 2->38 40 Machine Learning detection for sample 2->40 7 qjrOWCCE58.exe 1 2->7         started        process3 process4 9 WerFault.exe 9 7->9         started        12 WerFault.exe 9 7->12         started        14 WerFault.exe 9 7->14         started        16 5 other processes 7->16 file5 22 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 9->22 dropped 24 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 12->24 dropped 26 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 14->26 dropped 28 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 16->28 dropped 30 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 16->30 dropped 32 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 16->32 dropped 34 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 16->34 dropped 18 taskkill.exe 1 16->18         started        20 conhost.exe 16->20         started        process6
No contacted IP infos