Windows Analysis Report
INV_0893.exe

Overview

General Information

Sample Name:	INV_0893.exe
Analysis ID:	715068
MD5:	d23e1e317d68720216699e1c9e524a78
SHA1:	76b58185f5aa824e5bafc589aaa6c228b341b239
SHA256:	8dda840eccb53427037b3a06dd5f886c78e6e55fe69d96b256b05176e85172db
Tags:	exeJustClickAm-com
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Antivirus / Scanner detection for submitted sample

Yara detected AntiVM autoit script

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Drops PE files with a suspicious file extension

Uses 32bit PE files

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to launch a process as a different user

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to communicate with device drivers

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to read the clipboard data

Found dropped PE file which has not been started or loaded

Contains functionality to simulate keystroke presses

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Sample file is different than original file name gathered from version info

OS version to string mapping found (often used in BOTs)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

File is packed with WinRar

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to launch a program with higher privileges

Potential key logger detected (key state polling based)

Contains functionality to retrieve information about pressed keystrokes

Dropped file seen in connection with other malware

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to simulate mouse events

Found WSH timer for Javascript or VBS script (likely evasive script)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality for read data from the clipboard

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: INV_0893.exe	ReversingLabs: Detection: 68%
Source: INV_0893.exe	Virustotal: Detection: 65%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: INV_0893.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\1_102\uvbdlqfvw.pif

Avira: detection malicious, Label: TR/Redcap.qnaqq

Multi AV Scanner detection for dropped file

Source: C:\Users\user\1_102\uvbdlqfvw.pif	ReversingLabs: Detection: 84%
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Metadefender: Detection: 38%			Perma Link

Uses 32bit PE files

Source: INV_0893.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: INV_0893.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: INV_0893.exe
Source:	Binary string: RegSvcs.pdb, source: uvbdlqfvw.pif, 00000017.00000002.577019533.0000000001798000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: uvbdlqfvw.pif, 00000017.00000002.577019533.0000000001798000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0112A2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_0112A2DF
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0113AFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_0113AFB9
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_01149FD3 FindFirstFileExA,	0_2_01149FD3
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_0112399B GetFileAttributesW,FindFirstFileW,FindClose,	3_2_0112399B
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_01142408 FindFirstFileW,Sleep,FindNextFileW,FindClose,	3_2_01142408
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_0113280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_0113280D
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_01168877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	3_2_01168877
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_01121A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_01121A73
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_0114CAE7 FindFirstFileW,FindNextFileW,FindClose,	3_2_0114CAE7

Source: INV_0893.exe, 00000000.00000003.336111482.000000000499C000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif.0.dr	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: INV_0893.exe, 00000000.00000003.336111482.000000000499C000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif.0.dr	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: INV_0893.exe, 00000000.00000003.336111482.000000000499C000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif.0.dr	String found in binary or memory: http://crl.globalsign.net/Timestamping1.crl0
Source: INV_0893.exe, 00000000.00000003.336111482.000000000499C000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif.0.dr	String found in binary or memory: http://crl.globalsign.net/primobject.crl0N
Source: INV_0893.exe, 00000000.00000003.336111482.000000000499C000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif.0.dr	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: INV_0893.exe, 00000000.00000003.336111482.000000000499C000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif.0.dr	String found in binary or memory: http://secure.globalsign.net/cacert/ObjectSign.crt09
Source: INV_0893.exe, 00000000.00000003.336111482.000000000499C000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif.0.dr	String found in binary or memory: http://secure.globalsign.net/cacert/PrimObject.crt0
Source: INV_0893.exe, 00000000.00000003.336111482.000000000499C000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/0
Source: INV_0893.exe, 00000000.00000003.336111482.000000000499C000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif.0.dr	String found in binary or memory: http://www.globalsign.net/repository/0
Source: INV_0893.exe, 00000000.00000003.336111482.000000000499C000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif.0.dr	String found in binary or memory: http://www.globalsign.net/repository/03
Source: INV_0893.exe, 00000000.00000003.336111482.000000000499C000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif.0.dr	String found in binary or memory: http://www.globalsign.net/repository09

Source: C:\Users\user\1_102\uvbdlqfvw.pif

Code function: 3_2_01132361 InternetReadFile,

3_2_01132361

Contains functionality to read the clipboard data

Source: C:\Users\user\1_102\uvbdlqfvw.pif

Code function: 3_2_0115D8E9 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

3_2_0115D8E9

Potential key logger detected (key state polling based)

Source: C:\Users\user\1_102\uvbdlqfvw.pif

Code function: 3_2_0116C7D6 SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

3_2_0116C7D6

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\1_102\uvbdlqfvw.pif

Code function: 3_2_01146308 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,

3_2_01146308

Contains functionality for read data from the clipboard

Source: C:\Users\user\1_102\uvbdlqfvw.pif

Code function: 3_2_0114A0FC OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

3_2_0114A0FC

Uses 32bit PE files

Source: INV_0893.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\1_102\uvbdlqfvw.pif

Code function: 3_2_011233A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,

3_2_011233A3

Detected potential crypto function

Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_011283C0	0_2_011283C0
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0113626D	0_2_0113626D
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_01140113	0_2_01140113
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0114C0B0	0_2_0114C0B0
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_011230FC	0_2_011230FC
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_011333D3	0_2_011333D3
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0113F3CA	0_2_0113F3CA
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0112E510	0_2_0112E510
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0114C55E	0_2_0114C55E
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_01140548	0_2_01140548
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0112F5C5	0_2_0112F5C5
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_01150654	0_2_01150654
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0113364E	0_2_0113364E
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_01122692	0_2_01122692
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_011366A2	0_2_011366A2
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0112E973	0_2_0112E973
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0113397F	0_2_0113397F
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0113589E	0_2_0113589E
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0113F8C6	0_2_0113F8C6
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0112BAD1	0_2_0112BAD1
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0112DADD	0_2_0112DADD
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_01125D7E	0_2_01125D7E
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_01143CBA	0_2_01143CBA
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_01136CDB	0_2_01136CDB
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0113FCDE	0_2_0113FCDE
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0112DF12	0_2_0112DF12
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_01123EAD	0_2_01123EAD
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_01143EE9	0_2_01143EE9
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_010F35F0	3_2_010F35F0
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_010F98F0	3_2_010F98F0
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_01102136	3_2_01102136
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_0110A137	3_2_0110A137
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_0113F3A6	3_2_0113F3A6
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_0111427D	3_2_0111427D
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_01102508	3_2_01102508
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_0113655F	3_2_0113655F
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_010F98F0	3_2_010F98F0
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_01103721	3_2_01103721
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_010FF730	3_2_010FF730
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_01101903	3_2_01101903
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_0111088F	3_2_0111088F
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_0110C8CE	3_2_0110C8CE
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_011028F0	3_2_011028F0
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_01113BA1	3_2_01113BA1
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_0116EA2B	3_2_0116EA2B
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_0113EAD5	3_2_0113EAD5

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\INV_0893.exe	Code function: String function: 0113D870 appears 35 times
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: String function: 0113E2F0 appears 31 times
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: String function: 0113D940 appears 51 times
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: String function: 011014F7 appears 36 times
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: String function: 011359E6 appears 38 times
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: String function: 01106B90 appears 33 times

Contains functionality to launch a process as a different user

Source: C:\Users\user\1_102\uvbdlqfvw.pif

Code function: 3_2_01136219 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

3_2_01136219

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\INV_0893.exe

Code function: 0_2_01126FC6: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_01126FC6

Sample file is different than original file name gathered from version info

Source: INV_0893.exe, 00000000.00000003.336111482.000000000499C000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameMSEInstall.exeT4 vs INV_0893.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\INV_0893.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV_0893.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV_0893.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV_0893.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV_0893.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV_0893.exe	Section loaded: dxgidebug.dll	Jump to behavior

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\1_102\uvbdlqfvw.pif F99B9FC041C177F0BEE2C82D09F451EF0833696111B1B37CBFFF8C975232ECE2
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\RegSvcs.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50

Source: INV_0893.exe	ReversingLabs: Detection: 68%
Source: INV_0893.exe	Virustotal: Detection: 65%

Source: C:\Users\user\Desktop\INV_0893.exe

File read: C:\Users\user\Desktop\INV_0893.exe

Jump to behavior

Source: INV_0893.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\INV_0893.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\INV_0893.exe C:\Users\user\Desktop\INV_0893.exe
Source: C:\Users\user\Desktop\INV_0893.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\uvbdlqfvw.pif" faeupdrjbw.afr
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR
Source: unknown	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" C:\Users\user\1_102\FAEUPD~1.AFR
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR
Source: unknown	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" C:\Users\user\1_102\FAEUPD~1.AFR
Source: unknown	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" C:\Users\user\1_102\FAEUPD~1.AFR
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"
Source: C:\Users\user\Desktop\INV_0893.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\uvbdlqfvw.pif" faeupdrjbw.afr	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR

Source: C:\Users\user\Desktop\INV_0893.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_011233A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,		3_2_011233A3
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_01154AEB OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,		3_2_01154AEB

Source: C:\Users\user\Desktop\INV_0893.exe

File created: C:\Users\user\1_102

Jump to behavior

Source: C:\Users\user\1_102\uvbdlqfvw.pif

File created: C:\Users\user\temp\qdmmn.ppt

Jump to behavior

Source: classification engine

Classification label: mal84.evad.winEXE@40/60@0/1

Source: C:\Users\user\1_102\uvbdlqfvw.pif

Code function: 3_2_0115E0F6 CoInitialize,CoCreateInstance,CoUninitialize,

3_2_0115E0F6

Source: C:\Users\user\Desktop\INV_0893.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\1_102\uvbdlqfvw.pif

Code function: 3_2_0114D766 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

3_2_0114D766

Source: C:\Users\user\Desktop\INV_0893.exe

Code function: 0_2_01126D06 GetLastError,FormatMessageW,

0_2_01126D06

Source: C:\Users\user\1_102\uvbdlqfvw.pif

Code function: 3_2_01123EC5 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,FindCloseChangeNotification,

3_2_01123EC5

Source: C:\Users\user\Desktop\INV_0893.exe

Code function: 0_2_0113963A FindResourceW,DeleteObject,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_0113963A

Source: C:\Users\user\1_102\uvbdlqfvw.pif

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"

Source: C:\Users\user\Desktop\INV_0893.exe	Command line argument: sfxname	0_2_0113CBB8
Source: C:\Users\user\Desktop\INV_0893.exe	Command line argument: sfxstime	0_2_0113CBB8
Source: C:\Users\user\Desktop\INV_0893.exe	Command line argument: STARTDLG	0_2_0113CBB8

Source: C:\Users\user\Desktop\INV_0893.exe

File written: C:\Users\user\1_102\xfsxuexxqf.ini

Jump to behavior

Source: INV_0893.exe

Static file information: File size 1248871 > 1048576

Source: INV_0893.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: INV_0893.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: INV_0893.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: INV_0893.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: INV_0893.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: INV_0893.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: INV_0893.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: INV_0893.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: INV_0893.exe
Source:	Binary string: RegSvcs.pdb, source: uvbdlqfvw.pif, 00000017.00000002.577019533.0000000001798000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: uvbdlqfvw.pif, 00000017.00000002.577019533.0000000001798000.00000004.00000020.00020000.00000000.sdmp

Source: INV_0893.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: INV_0893.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: INV_0893.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: INV_0893.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: INV_0893.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0113E336 push ecx; ret	0_2_0113E349
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0113D870 push eax; ret	0_2_0113D88E
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_0111D53C push 740111CFh; iretd	3_2_0111D541
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_01106BD5 push ecx; ret	3_2_01106BE8

Contains functionality to dynamically determine API calls

Source: C:\Users\user\1_102\uvbdlqfvw.pif

Code function: 3_2_010FEE30 LoadLibraryA,GetProcAddress,

3_2_010FEE30

File is packed with WinRar

Source: C:\Users\user\Desktop\INV_0893.exe

File created: C:\Users\user\1_102\__tmp_rar_sfx_access_check_3848296

Jump to behavior

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\Desktop\INV_0893.exe

File created: C:\Users\user\1_102\uvbdlqfvw.pif

Jump to dropped file

Drops PE files

Source: C:\Users\user\1_102\uvbdlqfvw.pif	File created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe			Jump to dropped file
Source: C:\Users\user\Desktop\INV_0893.exe	File created: C:\Users\user\1_102\uvbdlqfvw.pif			Jump to dropped file

Source: C:\Users\user\1_102\uvbdlqfvw.pif	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run WindowsUpdate			Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run WindowsUpdate			Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_011243FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,		3_2_011243FF
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_0116A2EA IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		3_2_0116A2EA

Source: C:\Users\user\Desktop\INV_0893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM autoit script

Source: Yara match	File source: Process Memory Space: uvbdlqfvw.pif PID: 2528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: uvbdlqfvw.pif PID: 5336, type: MEMORYSTR

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\1_102\uvbdlqfvw.pif TID: 3340	Thread sleep count: 65 > 30	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif TID: 3340	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif TID: 3760	Thread sleep count: 51 > 30	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif TID: 3760	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif TID: 4852	Thread sleep count: 55 > 30	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif TID: 4852	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif TID: 5224	Thread sleep count: 35 > 30
Source: C:\Users\user\1_102\uvbdlqfvw.pif TID: 4644	Thread sleep count: 35 > 30
Source: C:\Users\user\1_102\uvbdlqfvw.pif TID: 5676	Thread sleep count: 41 > 30
Source: C:\Users\user\1_102\uvbdlqfvw.pif TID: 5832	Thread sleep count: 33 > 30
Source: C:\Users\user\1_102\uvbdlqfvw.pif TID: 4348	Thread sleep count: 37 > 30
Source: C:\Users\user\1_102\uvbdlqfvw.pif TID: 3300	Thread sleep count: 36 > 30

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\1_102\uvbdlqfvw.pif	Last function: Thread delayed
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Last function: Thread delayed
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Last function: Thread delayed

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\1_102\uvbdlqfvw.pif

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\1_102\uvbdlqfvw.pif

API coverage: 5.9 %

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Users\user\1_102\uvbdlqfvw.pif

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\INV_0893.exe

Code function: 0_2_0113D353 VirtualQuery,GetSystemInfo,

0_2_0113D353

Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0112A2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_0112A2DF
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0113AFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_0113AFB9
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_01149FD3 FindFirstFileExA,	0_2_01149FD3
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_0112399B GetFileAttributesW,FindFirstFileW,FindClose,	3_2_0112399B
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_01142408 FindFirstFileW,Sleep,FindNextFileW,FindClose,	3_2_01142408
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_0113280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_0113280D
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_01168877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	3_2_01168877
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_01121A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_01121A73
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_0114CAE7 FindFirstFileW,FindNextFileW,FindClose,	3_2_0114CAE7

Source: C:\Users\user\Desktop\INV_0893.exe

API call chain: ExitProcess graph end node

Source: uvbdlqfvw.pif, 00000017.00000003.553072884.0000000004EF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then0Rb
Source: uvbdlqfvw.pif, 0000000E.00000003.547420704.000000000303A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareUser.exe
Source: uvbdlqfvw.pif, 0000000E.00000003.522771884.000000000302B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwaretray.exe}
Source: uvbdlqfvw.pif, 0000000C.00000003.505492001.00000000045B5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwaretray.exeq
Source: uvbdlqfvw.pif, 00000003.00000003.393961109.0000000003C55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VboxService.exepz3t
Source: faeupdrjbw.afr.0.dr	Binary or memory string: If ProcessExists("VMwaretray.exe") Then
Source: faeupdrjbw.afr.0.dr	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
Source: uvbdlqfvw.pif, 00000017.00000002.577839213.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBoxTray.exe0~
Source: uvbdlqfvw.pif, 00000019.00000003.564256844.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then79o
Source: uvbdlqfvw.pif, 0000000E.00000003.547420704.000000000303A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareService.exe444D6
Source: uvbdlqfvw.pif, 00000019.00000002.577415132.0000000002F90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwaretray.exe
Source: uvbdlqfvw.pif, 0000000E.00000002.551652003.0000000000C48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: om&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000y
Source: uvbdlqfvw.pif, 0000000E.00000003.513468475.0000000003011000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Thenp
Source: faeupdrjbw.afr.0.dr	Binary or memory string: If ProcessExists("VboxService.exe") Then
Source: uvbdlqfvw.pif, 0000000D.00000003.504116609.0000000003AED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwaretray.exeZ!
Source: uvbdlqfvw.pif, 00000017.00000002.577839213.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareUser.exe3A765687
Source: uvbdlqfvw.pif, 00000019.00000002.577415132.0000000002F90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareService.exe536C7
Source: uvbdlqfvw.pif, 00000003.00000003.394404593.0000000003C60000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000003.00000003.401152033.0000000003C74000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000003.00000003.393237133.0000000003C51000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000003.00000003.394189569.0000000003C5D000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000003.00000003.395107791.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000003.00000003.396289082.0000000003C70000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000003.00000003.393961109.0000000003C55000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000005.00000003.432760043.0000000004440000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000005.00000003.430843861.0000000004434000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000005.00000003.428968439.0000000004431000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000005.00000003.432877001.000000000444C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBoxTray.exe
Source: uvbdlqfvw.pif, 0000000D.00000003.504116609.0000000003AED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VboxService.exeu!
Source: uvbdlqfvw.pif, 00000017.00000003.553072884.0000000004EF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") ThenT4E`
Source: uvbdlqfvw.pif, 00000005.00000003.431697192.000000000443D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwaretray.exea
Source: uvbdlqfvw.pif, 00000010.00000003.543862397.00000000048A4000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000010.00000003.545397422.00000000048AD000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000010.00000003.546967670.00000000048B0000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000010.00000003.553574188.00000000048C0000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000010.00000003.548851878.00000000048BC000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000010.00000003.534687720.00000000048A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBoxTray.exe\
Source: uvbdlqfvw.pif, 00000003.00000003.393237133.0000000003C51000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000003.00000003.393961109.0000000003C55000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000005.00000003.430843861.0000000004434000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000005.00000003.406326241.0000000004421000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000005.00000003.428968439.0000000004431000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000006.00000003.436870784.0000000003441000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 0000000A.00000003.481069326.0000000003E91000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 0000000A.00000003.446377357.0000000003E81000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 0000000A.00000003.483217881.0000000003E94000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 0000000C.00000003.470607041.00000000045A1000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 0000000C.00000003.503415232.00000000045B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: If ProcessExists("VBoxTray.exe") Then
Source: faeupdrjbw.afr.0.dr	Binary or memory string: If ProcessExists("VBoxTray.exe") Then
Source: uvbdlqfvw.pif, 00000019.00000003.564256844.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: If ProcessExists("VboxService.exe") Then
Source: uvbdlqfvw.pif, 00000010.00000003.543862397.00000000048A4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: rocessExists("VboxService.exe") Then
Source: uvbdlqfvw.pif, 0000000A.00000003.483217881.0000000003E94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareService.execroso
Source: uvbdlqfvw.pif, 00000010.00000003.534687720.00000000048A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: If ProcessExists("VMwaretray.exe") Thena
Source: uvbdlqfvw.pif, 00000003.00000002.408624142.0000000003C7A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareService.exe65687
Source: uvbdlqfvw.pif, 00000010.00000003.534687720.00000000048A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareService.exe
Source: uvbdlqfvw.pif, 00000017.00000002.577839213.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwaretray.exe1x
Source: uvbdlqfvw.pif, 00000006.00000003.445620543.000000000345B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VboxService.exe5
Source: uvbdlqfvw.pif, 00000010.00000003.534687720.00000000048A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwaretray.exe5
Source: uvbdlqfvw.pif, 00000013.00000003.524003657.0000000003D31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") ThenT4Ej
Source: uvbdlqfvw.pif, 00000005.00000003.431697192.000000000443D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareUser.exe3A765687
Source: uvbdlqfvw.pif, 00000010.00000003.534687720.00000000048A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareUser.exe6BA444D6
Source: uvbdlqfvw.pif, 00000019.00000003.564256844.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: If ProcessExists("VMwaretray.exe") Then
Source: uvbdlqfvw.pif, 00000006.00000003.445620543.000000000345B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwaretray.exeA
Source: faeupdrjbw.afr.0.dr	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
Source: uvbdlqfvw.pif, 00000005.00000003.428968439.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then79o-
Source: uvbdlqfvw.pif, 00000006.00000003.472201009.000000000346A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareService.exe637D6
Source: uvbdlqfvw.pif, 00000017.00000002.577839213.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareService.exe536C7k
Source: uvbdlqfvw.pif, 0000000A.00000003.484193504.0000000003E9D000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 0000000A.00000003.481069326.0000000003E91000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 0000000A.00000003.488423943.0000000003EB0000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 0000000A.00000003.486092254.0000000003EA0000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 0000000A.00000003.506597786.0000000003EB9000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 0000000A.00000003.487397857.0000000003EAC000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 0000000A.00000003.483217881.0000000003E94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBoxTray.exe\|u1%#
Source: uvbdlqfvw.pif, 00000006.00000003.472201009.000000000346A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareUser.exec
Source: uvbdlqfvw.pif, 00000003.00000002.408624142.0000000003C7A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareUser.exe'~
Source: uvbdlqfvw.pif, 00000005.00000003.431697192.000000000443D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareService.exe444D62
Source: uvbdlqfvw.pif, 0000000E.00000003.522771884.000000000302B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VboxService.exeV
Source: uvbdlqfvw.pif, 0000000D.00000003.504116609.0000000003AED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareUser.exe$H
Source: uvbdlqfvw.pif, 0000000E.00000003.513468475.0000000003011000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
Source: uvbdlqfvw.pif, 00000010.00000003.534687720.00000000048A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VboxService.exeR
Source: uvbdlqfvw.pif, 00000019.00000003.564256844.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Thenkn
Source: uvbdlqfvw.pif, 0000000D.00000003.504116609.0000000003AED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareService.exe536C7d$d
Source: uvbdlqfvw.pif, 00000019.00000002.577415132.0000000002F90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareUser.exe5FB536C7*^
Source: uvbdlqfvw.pif, 00000015.00000003.532638592.0000000000FE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") ThenT4E
Source: uvbdlqfvw.pif, 0000000A.00000003.483217881.0000000003E94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareUser.exe5FB536C7_v
Source: uvbdlqfvw.pif, 00000019.00000002.577415132.0000000002F90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VboxService.exe

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\INV_0893.exe

Code function: 0_2_0113E4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0113E4F5

Contains functionality to dynamically determine API calls

Source: C:\Users\user\1_102\uvbdlqfvw.pif

Code function: 3_2_010FEE30 LoadLibraryA,GetProcAddress,

3_2_010FEE30

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\INV_0893.exe

Code function: 0_2_0114ACA1 GetProcessHeap,

0_2_0114ACA1

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\INV_0893.exe

Code function: 0_2_01146AF3 mov eax, dword ptr fs:[00000030h]

0_2_01146AF3

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\1_102\uvbdlqfvw.pif

Code function: 3_2_0114A35D BlockInput,

3_2_0114A35D

Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0113E643 SetUnhandledExceptionFilter,	0_2_0113E643
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0113E4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0113E4F5
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0113E7FB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0113E7FB
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_01147BE1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_01147BE1
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_0110F170 SetUnhandledExceptionFilter,	3_2_0110F170
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_0110A128 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0110A128

Contains functionality to simulate keystroke presses

Source: C:\Users\user\1_102\uvbdlqfvw.pif

Code function: 3_2_011243FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,

3_2_011243FF

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\1_102\uvbdlqfvw.pif

Code function: 3_2_010FD7A0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,

3_2_010FD7A0

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\INV_0893.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\uvbdlqfvw.pif" faeupdrjbw.afr	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR

Contains functionality to simulate mouse events

Source: C:\Users\user\1_102\uvbdlqfvw.pif

Code function: 3_2_01123321 __wcsicoll,mouse_event,__wcsicoll,mouse_event,

3_2_01123321

Source: C:\Users\user\1_102\uvbdlqfvw.pif

Code function: 3_2_0113602A GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

3_2_0113602A

Source: INV_0893.exe, 00000000.00000003.335985605.0000000004907000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif.0.dr	Binary or memory string: IDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -
Source: uvbdlqfvw.pif, 00000006.00000003.436870784.0000000003441000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000006.00000003.442051689.000000000344D000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000006.00000003.471767396.0000000003467000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: uvbdlqfvw.pif	Binary or memory string: Shell_TrayWnd
Source: uvbdlqfvw.pif, 00000003.00000003.393237133.0000000003C51000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000003.00000003.393961109.0000000003C55000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000005.00000003.430843861.0000000004434000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: If WinGetText("Program Manager") = "0" Then
Source: uvbdlqfvw.pif, 00000017.00000002.577839213.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager,x
Source: uvbdlqfvw.pif, 00000017.00000002.577839213.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000017.00000003.553072884.0000000004EF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: If WinGetText("Program Manager") = "0" Thenm
Source: uvbdlqfvw.pif, 00000005.00000003.432760043.0000000004440000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000005.00000003.430843861.0000000004434000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000005.00000003.428968439.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerL
Source: faeupdrjbw.afr.0.dr	Binary or memory string: If WinGetText("Program Manager") = "0" Then
Source: uvbdlqfvw.pif, 00000005.00000003.406326241.0000000004421000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000005.00000003.428968439.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: If WinGetText("Program Manager") = "0" Then
Source: uvbdlqfvw.pif, 00000013.00000003.524003657.0000000003D31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: If WinGetText("Program Manager") = "0" Theng
Source: uvbdlqfvw.pif, 0000000C.00000003.509609607.00000000045D0000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 0000000C.00000003.508522641.00000000045CC000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 0000000C.00000003.507327420.00000000045BD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerr
Source: uvbdlqfvw.pif, 00000003.00000000.359780847.0000000001172000.00000002.00000001.01000000.00000007.sdmp, uvbdlqfvw.pif, 00000003.00000002.405404161.0000000001172000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: ASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -
Source: uvbdlqfvw.pif, 00000003.00000003.394404593.0000000003C60000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000003.00000003.401152033.0000000003C74000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000003.00000003.393237133.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managermz(t

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\INV_0893.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_01139D99

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\INV_0893.exe

Code function: 0_2_0113E34B cpuid

0_2_0113E34B

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\INV_0893.exe

Code function: 0_2_0113CBB8 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,DeleteObject,CloseHandle,

0_2_0113CBB8

Source: C:\Users\user\1_102\uvbdlqfvw.pif

Code function: 3_2_0110E284 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

3_2_0110E284

Source: C:\Users\user\Desktop\INV_0893.exe

Code function: 0_2_0112A995 GetVersionExW,

0_2_0112A995

Source: C:\Users\user\1_102\uvbdlqfvw.pif

Code function: 3_2_01162BF9 GetUserNameW,

3_2_01162BF9

OS version to string mapping found (often used in BOTs)

Source: uvbdlqfvw.pif	Binary or memory string: WIN_XP
Source: uvbdlqfvw.pif	Binary or memory string: WIN_XPe
Source: uvbdlqfvw.pif	Binary or memory string: WIN_VISTA
Source: uvbdlqfvw.pif.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte!
Source: uvbdlqfvw.pif	Binary or memory string: WIN_7
Source: uvbdlqfvw.pif	Binary or memory string: WIN_8

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_0115C06C OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,		3_2_0115C06C
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_011665D3 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		3_2_011665D3

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.1

AV Detection

Multi AV Scanner detection for submitted file

Source: INV_0893.exe	ReversingLabs: Detection: 68%
Source: INV_0893.exe	Virustotal: Detection: 65%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: INV_0893.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\1_102\uvbdlqfvw.pif

Avira: detection malicious, Label: TR/Redcap.qnaqq

Multi AV Scanner detection for dropped file

Source: C:\Users\user\1_102\uvbdlqfvw.pif	ReversingLabs: Detection: 84%
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Metadefender: Detection: 38%			Perma Link

Uses 32bit PE files

Source: INV_0893.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: INV_0893.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: INV_0893.exe
Source:	Binary string: RegSvcs.pdb, source: uvbdlqfvw.pif, 00000017.00000002.577019533.0000000001798000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: uvbdlqfvw.pif, 00000017.00000002.577019533.0000000001798000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0112A2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_0112A2DF
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0113AFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_0113AFB9
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_01149FD3 FindFirstFileExA,	0_2_01149FD3
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_0112399B GetFileAttributesW,FindFirstFileW,FindClose,	3_2_0112399B
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_01142408 FindFirstFileW,Sleep,FindNextFileW,FindClose,	3_2_01142408
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_0113280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_0113280D
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_01168877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	3_2_01168877
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_01121A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_01121A73
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_0114CAE7 FindFirstFileW,FindNextFileW,FindClose,	3_2_0114CAE7

Source: INV_0893.exe, 00000000.00000003.336111482.000000000499C000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif.0.dr	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: INV_0893.exe, 00000000.00000003.336111482.000000000499C000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif.0.dr	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: INV_0893.exe, 00000000.00000003.336111482.000000000499C000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif.0.dr	String found in binary or memory: http://crl.globalsign.net/Timestamping1.crl0
Source: INV_0893.exe, 00000000.00000003.336111482.000000000499C000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif.0.dr	String found in binary or memory: http://crl.globalsign.net/primobject.crl0N
Source: INV_0893.exe, 00000000.00000003.336111482.000000000499C000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif.0.dr	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: INV_0893.exe, 00000000.00000003.336111482.000000000499C000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif.0.dr	String found in binary or memory: http://secure.globalsign.net/cacert/ObjectSign.crt09
Source: INV_0893.exe, 00000000.00000003.336111482.000000000499C000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif.0.dr	String found in binary or memory: http://secure.globalsign.net/cacert/PrimObject.crt0
Source: INV_0893.exe, 00000000.00000003.336111482.000000000499C000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/0
Source: INV_0893.exe, 00000000.00000003.336111482.000000000499C000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif.0.dr	String found in binary or memory: http://www.globalsign.net/repository/0
Source: INV_0893.exe, 00000000.00000003.336111482.000000000499C000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif.0.dr	String found in binary or memory: http://www.globalsign.net/repository/03
Source: INV_0893.exe, 00000000.00000003.336111482.000000000499C000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif.0.dr	String found in binary or memory: http://www.globalsign.net/repository09

Source: C:\Users\user\1_102\uvbdlqfvw.pif

Code function: 3_2_01132361 InternetReadFile,

3_2_01132361

Contains functionality to read the clipboard data

Source: C:\Users\user\1_102\uvbdlqfvw.pif

3_2_0115D8E9

Potential key logger detected (key state polling based)

Source: C:\Users\user\1_102\uvbdlqfvw.pif

3_2_0116C7D6

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\1_102\uvbdlqfvw.pif

Code function: 3_2_01146308 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,

3_2_01146308

Contains functionality for read data from the clipboard

Source: C:\Users\user\1_102\uvbdlqfvw.pif

Code function: 3_2_0114A0FC OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

3_2_0114A0FC

Uses 32bit PE files

Source: INV_0893.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\1_102\uvbdlqfvw.pif

3_2_011233A3

Detected potential crypto function

Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_011283C0	0_2_011283C0
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0113626D	0_2_0113626D
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_01140113	0_2_01140113
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0114C0B0	0_2_0114C0B0
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_011230FC	0_2_011230FC
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_011333D3	0_2_011333D3
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0113F3CA	0_2_0113F3CA
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0112E510	0_2_0112E510
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0114C55E	0_2_0114C55E
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_01140548	0_2_01140548
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0112F5C5	0_2_0112F5C5
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_01150654	0_2_01150654
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0113364E	0_2_0113364E
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_01122692	0_2_01122692
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_011366A2	0_2_011366A2
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0112E973	0_2_0112E973
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0113397F	0_2_0113397F
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0113589E	0_2_0113589E
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0113F8C6	0_2_0113F8C6
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0112BAD1	0_2_0112BAD1
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0112DADD	0_2_0112DADD
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_01125D7E	0_2_01125D7E
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_01143CBA	0_2_01143CBA
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_01136CDB	0_2_01136CDB
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0113FCDE	0_2_0113FCDE
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0112DF12	0_2_0112DF12
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_01123EAD	0_2_01123EAD
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_01143EE9	0_2_01143EE9
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_010F35F0	3_2_010F35F0
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_010F98F0	3_2_010F98F0
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_01102136	3_2_01102136
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_0110A137	3_2_0110A137
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_0113F3A6	3_2_0113F3A6
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_0111427D	3_2_0111427D
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_01102508	3_2_01102508
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_0113655F	3_2_0113655F
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_010F98F0	3_2_010F98F0
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_01103721	3_2_01103721
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_010FF730	3_2_010FF730
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_01101903	3_2_01101903
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_0111088F	3_2_0111088F
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_0110C8CE	3_2_0110C8CE
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_011028F0	3_2_011028F0
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_01113BA1	3_2_01113BA1
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_0116EA2B	3_2_0116EA2B
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_0113EAD5	3_2_0113EAD5

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\INV_0893.exe	Code function: String function: 0113D870 appears 35 times
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: String function: 0113E2F0 appears 31 times
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: String function: 0113D940 appears 51 times
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: String function: 011014F7 appears 36 times
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: String function: 011359E6 appears 38 times
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: String function: 01106B90 appears 33 times

Contains functionality to launch a process as a different user

Source: C:\Users\user\1_102\uvbdlqfvw.pif

3_2_01136219

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\INV_0893.exe

Code function: 0_2_01126FC6: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_01126FC6

Sample file is different than original file name gathered from version info

Source: INV_0893.exe, 00000000.00000003.336111482.000000000499C000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameMSEInstall.exeT4 vs INV_0893.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\INV_0893.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV_0893.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV_0893.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV_0893.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV_0893.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV_0893.exe	Section loaded: dxgidebug.dll	Jump to behavior

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\1_102\uvbdlqfvw.pif F99B9FC041C177F0BEE2C82D09F451EF0833696111B1B37CBFFF8C975232ECE2
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\RegSvcs.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50

Source: INV_0893.exe	ReversingLabs: Detection: 68%
Source: INV_0893.exe	Virustotal: Detection: 65%

Source: C:\Users\user\Desktop\INV_0893.exe

File read: C:\Users\user\Desktop\INV_0893.exe

Jump to behavior

Source: INV_0893.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\INV_0893.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\INV_0893.exe C:\Users\user\Desktop\INV_0893.exe
Source: C:\Users\user\Desktop\INV_0893.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\uvbdlqfvw.pif" faeupdrjbw.afr
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR
Source: unknown	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" C:\Users\user\1_102\FAEUPD~1.AFR
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR
Source: unknown	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" C:\Users\user\1_102\FAEUPD~1.AFR
Source: unknown	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" C:\Users\user\1_102\FAEUPD~1.AFR
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"
Source: C:\Users\user\Desktop\INV_0893.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\uvbdlqfvw.pif" faeupdrjbw.afr	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR

Source: C:\Users\user\Desktop\INV_0893.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_011233A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,		3_2_011233A3
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_01154AEB OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,		3_2_01154AEB

Source: C:\Users\user\Desktop\INV_0893.exe

File created: C:\Users\user\1_102

Jump to behavior

Source: C:\Users\user\1_102\uvbdlqfvw.pif

File created: C:\Users\user\temp\qdmmn.ppt

Jump to behavior

Source: classification engine

Classification label: mal84.evad.winEXE@40/60@0/1

Source: C:\Users\user\1_102\uvbdlqfvw.pif

Code function: 3_2_0115E0F6 CoInitialize,CoCreateInstance,CoUninitialize,

3_2_0115E0F6

Source: C:\Users\user\Desktop\INV_0893.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\1_102\uvbdlqfvw.pif

Code function: 3_2_0114D766 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

3_2_0114D766

Source: C:\Users\user\Desktop\INV_0893.exe

Code function: 0_2_01126D06 GetLastError,FormatMessageW,

0_2_01126D06

Source: C:\Users\user\1_102\uvbdlqfvw.pif

Code function: 3_2_01123EC5 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,FindCloseChangeNotification,

3_2_01123EC5

Source: C:\Users\user\Desktop\INV_0893.exe

Code function: 0_2_0113963A FindResourceW,DeleteObject,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_0113963A

Source: C:\Users\user\1_102\uvbdlqfvw.pif

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"

Source: C:\Users\user\Desktop\INV_0893.exe	Command line argument: sfxname	0_2_0113CBB8
Source: C:\Users\user\Desktop\INV_0893.exe	Command line argument: sfxstime	0_2_0113CBB8
Source: C:\Users\user\Desktop\INV_0893.exe	Command line argument: STARTDLG	0_2_0113CBB8

Source: C:\Users\user\Desktop\INV_0893.exe

File written: C:\Users\user\1_102\xfsxuexxqf.ini

Jump to behavior

Source: INV_0893.exe

Static file information: File size 1248871 > 1048576

Source: INV_0893.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: INV_0893.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: INV_0893.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: INV_0893.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: INV_0893.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: INV_0893.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: INV_0893.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: INV_0893.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: INV_0893.exe
Source:	Binary string: RegSvcs.pdb, source: uvbdlqfvw.pif, 00000017.00000002.577019533.0000000001798000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: uvbdlqfvw.pif, 00000017.00000002.577019533.0000000001798000.00000004.00000020.00020000.00000000.sdmp

Source: INV_0893.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: INV_0893.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: INV_0893.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: INV_0893.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: INV_0893.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0113E336 push ecx; ret	0_2_0113E349
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0113D870 push eax; ret	0_2_0113D88E
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_0111D53C push 740111CFh; iretd	3_2_0111D541
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_01106BD5 push ecx; ret	3_2_01106BE8

Contains functionality to dynamically determine API calls

Source: C:\Users\user\1_102\uvbdlqfvw.pif

Code function: 3_2_010FEE30 LoadLibraryA,GetProcAddress,

3_2_010FEE30

File is packed with WinRar

Source: C:\Users\user\Desktop\INV_0893.exe

File created: C:\Users\user\1_102\__tmp_rar_sfx_access_check_3848296

Jump to behavior

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\Desktop\INV_0893.exe

File created: C:\Users\user\1_102\uvbdlqfvw.pif

Jump to dropped file

Drops PE files

Source: C:\Users\user\1_102\uvbdlqfvw.pif	File created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe			Jump to dropped file
Source: C:\Users\user\Desktop\INV_0893.exe	File created: C:\Users\user\1_102\uvbdlqfvw.pif			Jump to dropped file

Source: C:\Users\user\1_102\uvbdlqfvw.pif	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run WindowsUpdate			Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run WindowsUpdate			Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_011243FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,		3_2_011243FF
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_0116A2EA IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		3_2_0116A2EA

Source: C:\Users\user\Desktop\INV_0893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM autoit script

Source: Yara match	File source: Process Memory Space: uvbdlqfvw.pif PID: 2528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: uvbdlqfvw.pif PID: 5336, type: MEMORYSTR

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\1_102\uvbdlqfvw.pif TID: 3340	Thread sleep count: 65 > 30	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif TID: 3340	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif TID: 3760	Thread sleep count: 51 > 30	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif TID: 3760	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif TID: 4852	Thread sleep count: 55 > 30	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif TID: 4852	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif TID: 5224	Thread sleep count: 35 > 30
Source: C:\Users\user\1_102\uvbdlqfvw.pif TID: 4644	Thread sleep count: 35 > 30
Source: C:\Users\user\1_102\uvbdlqfvw.pif TID: 5676	Thread sleep count: 41 > 30
Source: C:\Users\user\1_102\uvbdlqfvw.pif TID: 5832	Thread sleep count: 33 > 30
Source: C:\Users\user\1_102\uvbdlqfvw.pif TID: 4348	Thread sleep count: 37 > 30
Source: C:\Users\user\1_102\uvbdlqfvw.pif TID: 3300	Thread sleep count: 36 > 30

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\1_102\uvbdlqfvw.pif	Last function: Thread delayed
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Last function: Thread delayed
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Last function: Thread delayed

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\1_102\uvbdlqfvw.pif

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\1_102\uvbdlqfvw.pif

API coverage: 5.9 %

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Users\user\1_102\uvbdlqfvw.pif

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\INV_0893.exe

Code function: 0_2_0113D353 VirtualQuery,GetSystemInfo,

0_2_0113D353

Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0112A2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_0112A2DF
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0113AFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_0113AFB9
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_01149FD3 FindFirstFileExA,	0_2_01149FD3
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_0112399B GetFileAttributesW,FindFirstFileW,FindClose,	3_2_0112399B
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_01142408 FindFirstFileW,Sleep,FindNextFileW,FindClose,	3_2_01142408
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_0113280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_0113280D
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_01168877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	3_2_01168877
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_01121A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_01121A73
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_0114CAE7 FindFirstFileW,FindNextFileW,FindClose,	3_2_0114CAE7

Source: C:\Users\user\Desktop\INV_0893.exe

API call chain: ExitProcess graph end node

Source: uvbdlqfvw.pif, 00000017.00000003.553072884.0000000004EF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then0Rb
Source: uvbdlqfvw.pif, 0000000E.00000003.547420704.000000000303A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareUser.exe
Source: uvbdlqfvw.pif, 0000000E.00000003.522771884.000000000302B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwaretray.exe}
Source: uvbdlqfvw.pif, 0000000C.00000003.505492001.00000000045B5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwaretray.exeq
Source: uvbdlqfvw.pif, 00000003.00000003.393961109.0000000003C55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VboxService.exepz3t
Source: faeupdrjbw.afr.0.dr	Binary or memory string: If ProcessExists("VMwaretray.exe") Then
Source: faeupdrjbw.afr.0.dr	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
Source: uvbdlqfvw.pif, 00000017.00000002.577839213.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBoxTray.exe0~
Source: uvbdlqfvw.pif, 00000019.00000003.564256844.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then79o
Source: uvbdlqfvw.pif, 0000000E.00000003.547420704.000000000303A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareService.exe444D6
Source: uvbdlqfvw.pif, 00000019.00000002.577415132.0000000002F90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwaretray.exe
Source: uvbdlqfvw.pif, 0000000E.00000002.551652003.0000000000C48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: om&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000y
Source: uvbdlqfvw.pif, 0000000E.00000003.513468475.0000000003011000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Thenp
Source: faeupdrjbw.afr.0.dr	Binary or memory string: If ProcessExists("VboxService.exe") Then
Source: uvbdlqfvw.pif, 0000000D.00000003.504116609.0000000003AED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwaretray.exeZ!
Source: uvbdlqfvw.pif, 00000017.00000002.577839213.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareUser.exe3A765687
Source: uvbdlqfvw.pif, 00000019.00000002.577415132.0000000002F90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareService.exe536C7
Source: uvbdlqfvw.pif, 00000003.00000003.394404593.0000000003C60000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000003.00000003.401152033.0000000003C74000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000003.00000003.393237133.0000000003C51000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000003.00000003.394189569.0000000003C5D000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000003.00000003.395107791.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000003.00000003.396289082.0000000003C70000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000003.00000003.393961109.0000000003C55000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000005.00000003.432760043.0000000004440000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000005.00000003.430843861.0000000004434000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000005.00000003.428968439.0000000004431000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000005.00000003.432877001.000000000444C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBoxTray.exe
Source: uvbdlqfvw.pif, 0000000D.00000003.504116609.0000000003AED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VboxService.exeu!
Source: uvbdlqfvw.pif, 00000017.00000003.553072884.0000000004EF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") ThenT4E`
Source: uvbdlqfvw.pif, 00000005.00000003.431697192.000000000443D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwaretray.exea
Source: uvbdlqfvw.pif, 00000010.00000003.543862397.00000000048A4000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000010.00000003.545397422.00000000048AD000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000010.00000003.546967670.00000000048B0000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000010.00000003.553574188.00000000048C0000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000010.00000003.548851878.00000000048BC000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000010.00000003.534687720.00000000048A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBoxTray.exe\
Source: uvbdlqfvw.pif, 00000003.00000003.393237133.0000000003C51000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000003.00000003.393961109.0000000003C55000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000005.00000003.430843861.0000000004434000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000005.00000003.406326241.0000000004421000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000005.00000003.428968439.0000000004431000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000006.00000003.436870784.0000000003441000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 0000000A.00000003.481069326.0000000003E91000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 0000000A.00000003.446377357.0000000003E81000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 0000000A.00000003.483217881.0000000003E94000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 0000000C.00000003.470607041.00000000045A1000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 0000000C.00000003.503415232.00000000045B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: If ProcessExists("VBoxTray.exe") Then
Source: faeupdrjbw.afr.0.dr	Binary or memory string: If ProcessExists("VBoxTray.exe") Then
Source: uvbdlqfvw.pif, 00000019.00000003.564256844.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: If ProcessExists("VboxService.exe") Then
Source: uvbdlqfvw.pif, 00000010.00000003.543862397.00000000048A4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: rocessExists("VboxService.exe") Then
Source: uvbdlqfvw.pif, 0000000A.00000003.483217881.0000000003E94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareService.execroso
Source: uvbdlqfvw.pif, 00000010.00000003.534687720.00000000048A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: If ProcessExists("VMwaretray.exe") Thena
Source: uvbdlqfvw.pif, 00000003.00000002.408624142.0000000003C7A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareService.exe65687
Source: uvbdlqfvw.pif, 00000010.00000003.534687720.00000000048A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareService.exe
Source: uvbdlqfvw.pif, 00000017.00000002.577839213.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwaretray.exe1x
Source: uvbdlqfvw.pif, 00000006.00000003.445620543.000000000345B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VboxService.exe5
Source: uvbdlqfvw.pif, 00000010.00000003.534687720.00000000048A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwaretray.exe5
Source: uvbdlqfvw.pif, 00000013.00000003.524003657.0000000003D31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") ThenT4Ej
Source: uvbdlqfvw.pif, 00000005.00000003.431697192.000000000443D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareUser.exe3A765687
Source: uvbdlqfvw.pif, 00000010.00000003.534687720.00000000048A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareUser.exe6BA444D6
Source: uvbdlqfvw.pif, 00000019.00000003.564256844.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: If ProcessExists("VMwaretray.exe") Then
Source: uvbdlqfvw.pif, 00000006.00000003.445620543.000000000345B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwaretray.exeA
Source: faeupdrjbw.afr.0.dr	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
Source: uvbdlqfvw.pif, 00000005.00000003.428968439.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then79o-
Source: uvbdlqfvw.pif, 00000006.00000003.472201009.000000000346A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareService.exe637D6
Source: uvbdlqfvw.pif, 00000017.00000002.577839213.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareService.exe536C7k
Source: uvbdlqfvw.pif, 0000000A.00000003.484193504.0000000003E9D000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 0000000A.00000003.481069326.0000000003E91000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 0000000A.00000003.488423943.0000000003EB0000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 0000000A.00000003.486092254.0000000003EA0000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 0000000A.00000003.506597786.0000000003EB9000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 0000000A.00000003.487397857.0000000003EAC000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 0000000A.00000003.483217881.0000000003E94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBoxTray.exe\|u1%#
Source: uvbdlqfvw.pif, 00000006.00000003.472201009.000000000346A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareUser.exec
Source: uvbdlqfvw.pif, 00000003.00000002.408624142.0000000003C7A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareUser.exe'~
Source: uvbdlqfvw.pif, 00000005.00000003.431697192.000000000443D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareService.exe444D62
Source: uvbdlqfvw.pif, 0000000E.00000003.522771884.000000000302B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VboxService.exeV
Source: uvbdlqfvw.pif, 0000000D.00000003.504116609.0000000003AED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareUser.exe$H
Source: uvbdlqfvw.pif, 0000000E.00000003.513468475.0000000003011000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
Source: uvbdlqfvw.pif, 00000010.00000003.534687720.00000000048A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VboxService.exeR
Source: uvbdlqfvw.pif, 00000019.00000003.564256844.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Thenkn
Source: uvbdlqfvw.pif, 0000000D.00000003.504116609.0000000003AED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareService.exe536C7d$d
Source: uvbdlqfvw.pif, 00000019.00000002.577415132.0000000002F90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareUser.exe5FB536C7*^
Source: uvbdlqfvw.pif, 00000015.00000003.532638592.0000000000FE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") ThenT4E
Source: uvbdlqfvw.pif, 0000000A.00000003.483217881.0000000003E94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareUser.exe5FB536C7_v
Source: uvbdlqfvw.pif, 00000019.00000002.577415132.0000000002F90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VboxService.exe

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\INV_0893.exe

Code function: 0_2_0113E4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0113E4F5

Contains functionality to dynamically determine API calls

Source: C:\Users\user\1_102\uvbdlqfvw.pif

Code function: 3_2_010FEE30 LoadLibraryA,GetProcAddress,

3_2_010FEE30

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\INV_0893.exe

Code function: 0_2_0114ACA1 GetProcessHeap,

0_2_0114ACA1

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\INV_0893.exe

Code function: 0_2_01146AF3 mov eax, dword ptr fs:[00000030h]

0_2_01146AF3

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\1_102\uvbdlqfvw.pif

Code function: 3_2_0114A35D BlockInput,

3_2_0114A35D

Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0113E643 SetUnhandledExceptionFilter,	0_2_0113E643
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0113E4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0113E4F5
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_0113E7FB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0113E7FB
Source: C:\Users\user\Desktop\INV_0893.exe	Code function: 0_2_01147BE1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_01147BE1
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_0110F170 SetUnhandledExceptionFilter,	3_2_0110F170
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_0110A128 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0110A128

Contains functionality to simulate keystroke presses

Source: C:\Users\user\1_102\uvbdlqfvw.pif

3_2_011243FF

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\1_102\uvbdlqfvw.pif

3_2_010FD7A0

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\INV_0893.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\uvbdlqfvw.pif" faeupdrjbw.afr	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR	Jump to behavior
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\1_102\run.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\1_102\uvbdlqfvw.pif "C:\Users\user\1_102\UVBDLQ~1.PIF" FAEUPD~1.AFR

Contains functionality to simulate mouse events

Source: C:\Users\user\1_102\uvbdlqfvw.pif

Code function: 3_2_01123321 __wcsicoll,mouse_event,__wcsicoll,mouse_event,

3_2_01123321

Source: C:\Users\user\1_102\uvbdlqfvw.pif

Code function: 3_2_0113602A GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

3_2_0113602A

Source: INV_0893.exe, 00000000.00000003.335985605.0000000004907000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif.0.dr	Binary or memory string: IDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -
Source: uvbdlqfvw.pif, 00000006.00000003.436870784.0000000003441000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000006.00000003.442051689.000000000344D000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000006.00000003.471767396.0000000003467000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: uvbdlqfvw.pif	Binary or memory string: Shell_TrayWnd
Source: uvbdlqfvw.pif, 00000003.00000003.393237133.0000000003C51000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000003.00000003.393961109.0000000003C55000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000005.00000003.430843861.0000000004434000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: If WinGetText("Program Manager") = "0" Then
Source: uvbdlqfvw.pif, 00000017.00000002.577839213.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager,x
Source: uvbdlqfvw.pif, 00000017.00000002.577839213.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000017.00000003.553072884.0000000004EF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: If WinGetText("Program Manager") = "0" Thenm
Source: uvbdlqfvw.pif, 00000005.00000003.432760043.0000000004440000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000005.00000003.430843861.0000000004434000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000005.00000003.428968439.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerL
Source: faeupdrjbw.afr.0.dr	Binary or memory string: If WinGetText("Program Manager") = "0" Then
Source: uvbdlqfvw.pif, 00000005.00000003.406326241.0000000004421000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000005.00000003.428968439.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: If WinGetText("Program Manager") = "0" Then
Source: uvbdlqfvw.pif, 00000013.00000003.524003657.0000000003D31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: If WinGetText("Program Manager") = "0" Theng
Source: uvbdlqfvw.pif, 0000000C.00000003.509609607.00000000045D0000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 0000000C.00000003.508522641.00000000045CC000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 0000000C.00000003.507327420.00000000045BD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerr
Source: uvbdlqfvw.pif, 00000003.00000000.359780847.0000000001172000.00000002.00000001.01000000.00000007.sdmp, uvbdlqfvw.pif, 00000003.00000002.405404161.0000000001172000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: ASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -
Source: uvbdlqfvw.pif, 00000003.00000003.394404593.0000000003C60000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000003.00000003.401152033.0000000003C74000.00000004.00000800.00020000.00000000.sdmp, uvbdlqfvw.pif, 00000003.00000003.393237133.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managermz(t

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\INV_0893.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_01139D99

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\INV_0893.exe

Code function: 0_2_0113E34B cpuid

0_2_0113E34B

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\INV_0893.exe

0_2_0113CBB8

Source: C:\Users\user\1_102\uvbdlqfvw.pif

3_2_0110E284

Source: C:\Users\user\Desktop\INV_0893.exe

Code function: 0_2_0112A995 GetVersionExW,

0_2_0112A995

Source: C:\Users\user\1_102\uvbdlqfvw.pif

Code function: 3_2_01162BF9 GetUserNameW,

3_2_01162BF9

OS version to string mapping found (often used in BOTs)

Source: uvbdlqfvw.pif	Binary or memory string: WIN_XP
Source: uvbdlqfvw.pif	Binary or memory string: WIN_XPe
Source: uvbdlqfvw.pif	Binary or memory string: WIN_VISTA
Source: uvbdlqfvw.pif.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte!
Source: uvbdlqfvw.pif	Binary or memory string: WIN_7
Source: uvbdlqfvw.pif	Binary or memory string: WIN_8

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_0115C06C OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,		3_2_0115C06C
Source: C:\Users\user\1_102\uvbdlqfvw.pif	Code function: 3_2_011665D3 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		3_2_011665D3

ID:	715068
Product:	CloudBasic
Start time:	15:51:49
Start date:	03.10.2022
Sample:	INV_0893.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	d23e1e317d68720216699e1c9e524a78
SHA1:	76b58185f5aa824e5bafc589aaa6c228b341b239
SHA256:	8dda840eccb53427037b3a06dd5f886c78e6e55fe69d96b256b05176e85172db
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\1_102\ajibht.bin	ASCII text, with CRLF line terminators	02539DFADEB3051CCAE79615BA474DF5	D23B4ADD8523D43EBC55A70309E53070B80D3C9C	1055A69758449B4167A4F6F109B6A4D71B4C146F9C900C76ABA3F166A5F643C2
C:\Users\user\1_102\ajjvnqq.mp3	ASCII text, with CRLF line terminators	DF4F286C01DF62AF4C04FCC0E25D04E3	5B8602420FD4CEA89FCF49E585A1A9574181D2B8	364E95C29108F312DDCAF91D8835CC9D86796C44AE398C31A34C6E70DFB902C2
C:\Users\user\1_102\amelelq.xls	ASCII text, with CRLF line terminators	E20A67DED600A204E27EF18A4BC16C35	D6EB4879297894F160EFB1988FAD032B8B269B39	C16BBB631264A94077E33D0FC59DA6A493D1F3DA336329C0FA193B58C838E38A
C:\Users\user\1_102\anuhmos.txt	ASCII text, with CRLF line terminators	7A5A37B1EA05049E306EBB0F426FE5F7	FE60539FD8AAEC467685E7A4756E9EE83577CCE5	325E5D396689DEA2C9F2BA8EC049403B1A5E2189783F20FEBBBD1165A8335CFC
C:\Users\user\1_102\aoejxqi.docx	ASCII text, with CRLF line terminators	4BAABC8BEC0E679A2B308121CFF84B27	318992FAA1404CE761CCBCE068BBCEAD473068D6	720B60E05186580911EF7FA304C0408601F28539B51499CB1D94FEDC7AFC8500
C:\Users\user\1_102\axniud.jpg	ASCII text, with CRLF line terminators	7B7F642ACECCF300072B55D278C47746	B0D921DFB53E1420F75E1AFBABF5F46150E95380	474B3E56EE960F33B2A61CC790E15DFCF55632678C448118B28F418F8D6BB8A6
C:\Users\user\1_102\bjnov.bmp	ASCII text, with CRLF line terminators	FD026243F93E4152C54CD5520B14596A	D0E8BBA3874236618B93BF1AFD625BDF403ADCD6	459F2E9990F78A4D512E6F40679DBEBC32F89602D16C7A146113A00086EB3C2E
C:\Users\user\1_102\ccqmrdcse.exe	ASCII text, with CRLF line terminators	2471AD1D47F78C4B5637DED83B703AB2	F5D510788519971288A53978B55C42BC56DC327F	6C987CA44B52B93FE75A03D33ABFAF5467611BE1E5407EC0CCB3C34D155CD69B
C:\Users\user\1_102\cqlbvl.jpg	ASCII text, with CRLF line terminators	E4858AC750880DE003CF18825C5721E3	8A767BDB2C12FA67099508996AAA491A15D0B6C0	66273F2079650B7558F4E3719829378B2B57BF915E492928DC16E7F08D6C15E3
C:\Users\user\1_102\dcbewlcfwo.cpl	ASCII text, with CRLF line terminators	7C4CC21B68DAD67209FAF6503CAF9152	153390D387805338C04BFD5EF6E9808213762197	FBF55A460DFAA43926174E2CCB66C4AFE1E7044A324000F0522E5306741282B3
C:\Users\user\1_102\djofgadl.xls	ASCII text, with CRLF line terminators	3C30E492F470C93CF12BBE7641E9FC69	6F71F33CAE025F41EF020659650F2D73A1FE6A85	3F9F4A67C9EAEA41556110C790B580648B1A5AC5ED476F1080E1DF1876A2B3AF
C:\Users\user\1_102\dnnkbxvv.xml	ASCII text, with CRLF line terminators	ACCEFAA385E9A4C129D3D3B1875923A8	33E3CBC286967F500ABD1B6888AC5BCC99EFA183	CD6459610AC3BE59E9399D9DA63D156503CA1C862B6E80C9ED481E70A6F010B5
C:\Users\user\1_102\duhuvcet.mp3	ASCII text, with CRLF line terminators	E9533480FC3385A0EE3E7956B2E784FC	32BEE8BBABCB0FE7A3B59FEAB3FB23B7BDCE2AB0	72AEE43C7B2A8E5FBE2616BB9352F86350D394637C97A8F99D1ACEF8D6BBFB85
C:\Users\user\1_102\ekqfgt.jpg	ASCII text, with CRLF line terminators	189839DC90D5E63721BD54B9E3F6D42C	2F99961CFC270D43913C301536E797AA4F3C340F	12441E1570307C465EB74F4F2630386F5EBA2188C3F287955DBEC2EFB99DF63B
C:\Users\user\1_102\eqedro.ppt	ASCII text, with CRLF line terminators	73F367733DDA95390061C717E879F97E	395682B54D6AC4E6C650D9E8654836D2FE3CDF60	E7482D8536E7CB687BA88B8A96CC4038B011C4F09948A7FEA049FCFFCEA963EA
C:\Users\user\1_102\faeupdrjbw.afr	Unicode text, UTF-16, little-endian text, with CRLF line terminators	EFFBA2D361BF03ECA0D7B874614A995A	DF02FAFBC0864975B8E55CD7FF3EC75BCFBE5212	CA4EEFBEE52DFB136B739ED8C49265C620E61956ACF85FD6E4735D0347700C01
C:\Users\user\1_102\fcndwufx.exe	ASCII text, with CRLF line terminators	B59C5FC427AC149CFA601824C46183D2	8E49397ACE23E77970BD69EFB1C01C398F3D64B3	5C11D7C6D70D1E656F7448BE82E2920E7674AC193578E4CD9AFFDAF2EB2E6EE2
C:\Users\user\1_102\fmdem.docx	Clarion Developer (v2 and above) memo data	15FD81E2379FEB3AEF0B57330D8956A4	9DCE9EC6588F6D404A1F7D0067519A3291B24D53	51DBEAC88145CBD4851D83F4AD35EE66728D1D8D4D9860DAF3993EE30B724913
C:\Users\user\1_102\gbxurtvclr.msc	ASCII text, with CRLF line terminators	F9812BC1DE6DBD1FF19D08FDA1B969E0	4FBAA7DC09C949376A4AD76D28F34C1D8BE7A05A	6FF8FDFBE2CD2ECC3F9E0AFDDBDEF8C6673012A84B65BB6A73744398D4AF954C
C:\Users\user\1_102\hbnvn.msc	ASCII text, with CRLF line terminators	8302D68CF6B041D730204E06643003A1	A3003E66960CA64B4B42DFAA70EF0CA9FF52EC9E	902834812255FAED5AA3046942930A60D0BA508D0D46D978EF866DAB57539098
C:\Users\user\1_102\hedweucwot.mp3	ASCII text, with CRLF line terminators	A0B601DB16CE6D535BE352965468FE07	F57EDE679AABD57889674E1B2ED808CEA75C5E40	0EE33B459F5009DBD2F7826D2C830CFC1CF7DCA179FFFC6CA219668209BE23B3
C:\Users\user\1_102\hrccfoi.mp3	ASCII text, with CRLF line terminators	8383E1870B90DDB0DBBC6C17C1096E25	374B2DAA67C01248F594E6175F8AC85842D3A0B0	0A72779DE21DCF99924DD8358E3070527FF556AF082C7A71C8C130142211F9E7
C:\Users\user\1_102\iqdsniwt.xl	ASCII text, with CRLF line terminators	7167BD2FB9AFEE2660965BFFD1B6C115	B031FCC4531667FB87DAC87EBAD83C70443D032A	24A778A073E03FB4C263022D8B68557C57FF63EF1D85B0DCF115B5EAC04EF4FD
C:\Users\user\1_102\iwtbbrn.pdf	ASCII text, with CRLF line terminators	A1E8D95728AAF329A8247673EC1DA164	2AF3CBFF97B65B42E09DA2F456708E2189477431	F18068DDB07529F55EB73EDCCEF5178E2F7302C8D0DC2DEA8E6DCE85B1D39D26
C:\Users\user\1_102\jpfhdaeg.xml	ASCII text, with CRLF line terminators	F17324F85594EA54B29A63E5D18702B5	16F2756633366DF146C03BE44D0182B3710D37F0	6B7477159BB3C972D9F534B150FE184B2761C427437421FCE5AC33D14F2CB61C
C:\Users\user\1_102\junnhus.tbg	ASCII text, with very long lines (65536), with no line terminators	EB1CCD9AD7C05D6F77E14F488A7ECD7B	2D3B3D67FC34052680419279308E93ECABC2F0F5	9C6BE7508C3DE7D4502F32F167129AC5ECDAA2A8A83825CD1826110B5551CF2E
C:\Users\user\1_102\jwtc.docx	ASCII text, with CRLF line terminators	EB738A10368F4F49DCDD4E1A9A51BC24	A950FE99E9D5FF86C415117AB7C05960BBBB945F	31C72EEEE3A3C534AEED8A6512289CA5A2B80276AF8D142119D3DB3D5CD4FD9B
C:\Users\user\1_102\lqiblshv.cpl	ASCII text, with CRLF line terminators	D66EC3875C44189C7A7889D164B9D8AA	3C1B4F21FBF4B93625982A476DA521EB61597629	9E97B4914A4557CBB8F090C101E9B4451E24F9CFF386E638E3F260F86A4F12B0
C:\Users\user\1_102\mjmxve.bin	ASCII text, with CRLF line terminators	4FC1CB5F5F68ACD1DB8818BA85D8BAFD	BF5A0DEAA92ADC8B0BFCAB46DD97B77632B355FC	63F203567456D6108DCF4A804081BD88EBE1143BC4FDEA315CCA8E4E85234E41
C:\Users\user\1_102\msvvkner.docx	ASCII text, with CRLF line terminators	0F4A302BAF9CA3CC0F0CD108483FC1DC	94ACB95E7B751632DA37671C71CAD883744208B0	FE09D2D2BF542E29B0B40C840B5221521796E2AB6CC40B68D867DD306386D01F
C:\Users\user\1_102\ngbjex.exe	ASCII text, with CRLF line terminators	A294011042563ED9764DCBD194CAD2F4	03299BFA63362BE22818B23C43685250182009FE	3D08DD97FB80CDCBCD322F4AE15D50E07BD3A4A380D4EE22E94299CC5D2BC44F
C:\Users\user\1_102\njcbgjubnt.docx	ASCII text, with CRLF line terminators	920BB470AECB569C31D2E6324CD6D2E1	DFE128D5EED8ABE883198E83F13F43DBA43AE9D3	BCA1F286EBC2F0212648CD1D8DCE3C6ED9384B09081E55DB81B348CEBDA7CCA2
C:\Users\user\1_102\nkgm.ini	ASCII text, with CRLF line terminators	E8468600EA9B5C6072F0F1379F09A640	14144AC9B74F784CDC2E42958A43210F973E13BB	90A3C32AE9371A5C6E4354BD44E07C80F75712F59B4064C6AC85D1853B3C0D91
C:\Users\user\1_102\oemfj.pdf	ASCII text, with CRLF line terminators	6AC56C71D7588D956D50E68CBBB0661C	9EEAB4A85FA0E46CE1DA5EF4DDDBF7E07C89E64C	59C9FB1704367C93874A8A79E7929C70DEB6DAE92E13C09ACF1DC2B26B33DEB0
C:\Users\user\1_102\offgxmvkni.dat	ASCII text, with CRLF line terminators	B4D03A71ACED9EB3CFAE708352173AC3	2FC8C380F7F985C1B46D3DC6E598E7C594627848	B6431A1FAEE9F142CB8909479F9FA40520E68017525DE5A35BEE6DBD76AD17A9
C:\Users\user\1_102\qdmmn.ppt	ASCII text, with CRLF line terminators	B7A0A87BBCC941BEC34FD8ACDCDD077A	8C0C9ADB7B9E1806AA4C49811FA4A2794490C645	650E29AD1C2A6B951EE4868A5B1D350C8938E942E1796D7A48E52E8F93CABFDA
C:\Users\user\1_102\qhojj.cpl	ASCII text, with CRLF line terminators	D9C884DE03C4D546BEE4CC592CEC9788	92982BD68473826B54D1F2EB792E8B29BFA0D83A	E251E26441113CBE6C03287CF99118407E74151396EE1DE0AC9B47B7175AE9DD
C:\Users\user\1_102\rcigee.msc	ASCII text, with CRLF line terminators	542DCA4C1E92E62858A00A97C1CE787A	D7C307B124633D0434C71BF2DF39B9A44548B95F	CFCDB6F0FDC559161D291688EC7B8E9D5A6CB6A27A781074822E313C6E5A93DC
C:\Users\user\1_102\rspcco.icm	ASCII text, with CRLF line terminators	E12EC310ED295A4E7BAD30E37424DE67	76BC9E4487D023E72F12E1741D5BF877FCB3A051	C129B7D0794C62012D7A1AE74EA31EBB231F56FC5BDA43EB3885AB1019DD6DF9
C:\Users\user\1_102\ruiorm.dat	ASCII text, with CRLF line terminators	051A53AAEFC80A51743842F3627B9D0A	89BA9967DEC44BB305356F4D62551A728A6562EB	3F435A192DEDEAFE627BCB9CB074798C1A5092B97BEE366E8D1C1309687EA21A
C:\Users\user\1_102\run.vbs	ASCII text, with CRLF line terminators	474CF0E5CF7589E604811B5B5EFC5435	1D5D718947F211636DAEAD898F5A656EDF490271	FCB503CE8CF4874FCA9F3205ACB01952FB5759B1D784040E87C5954F6E3C18F6
C:\Users\user\1_102\sbuloo.pdf	ASCII text, with CRLF line terminators	46E90298A3B143A9272F79E44E90CBD8	97C88D6CC00ABAEEF52B628DA53F5BF069E27068	D3D09EB1054AFC8217BC13195F5011B2B1E264118A03DD84EBC3FD5903B610B2
C:\Users\user\1_102\skqrmlsxv.pdf	ASCII text, with CRLF line terminators	9810605BECED17A2312F2E939E0BFB51	E04B796FA0DDF143A35C1B4E84E246FACB83B72F	CEE68A3BD433AA3FE26FB204D81527A4DA672767E3D7E9017A2B4EE3F92A46BE
C:\Users\user\1_102\sqvp.mp3	ASCII text, with CRLF line terminators	8CE0FA72C43E404C5F6D4BF3106F4518	DB03B8A3EB2A17425D74AED5AC07FBA176FDEB7C	515C9F1F69E56762CFC38FFA1DD31484E877238BE26DDD44778F2D67F50D7B31
C:\Users\user\1_102\srcruart.pdf	ASCII text, with CRLF line terminators	F055CC8B562B94D84E01CC6C65970123	6A32979F2463A67324902B871EBCEC62178B719A	B7C44B9465F77711131E2C27BA66CC80107FE2935B36A70CC91B72A7A17701C9
C:\Users\user\1_102\tmmcqtvmur.xml	ASCII text, with CRLF line terminators	1BDEF3CFD528AFC04DDC98AC98EAE3B8	BDA3FC0E607ABFCFB2D5C74CC92DA17A995BEE92	F80D89FF101198A19BE29443483138A42D4815E64BAFDDB2C73E214B469BF82C
C:\Users\user\1_102\tmmrvkkjm.pdf	ASCII text, with CRLF line terminators	0AA75B6B4CE7811A2CADEE8B5ADE5A76	4810CFA42889E6CABC76A68D8BBAD1146C5E9B66	CF1C05D66F55D68F850DAC4168554675C1467AA35733767DE931009D00C51D24
C:\Users\user\1_102\tpwck.bmp	ASCII text, with CRLF line terminators	A0198613689D2323530B2E097D8BBDC7	A1AF0DB92392C2D2D7295DF27E7B0BE28F09C32E	3470739646B3824D82F517B7D3E421756C4B9C3442137CB2348DEAE6983AE820
C:\Users\user\1_102\upfisl.msc	ASCII text, with CRLF line terminators	F1AAD64ABA9607D2504A3026D913C6A3	A00CC9ECBEA5B656E4BE8FFB72D0C0329DEB3AEB	D1CB18F142195B0C7DE8B58A1A133DAC507D8F624C0441759E3D308051F53E12
C:\Users\user\1_102\uuolclj.docx	ASCII text, with CRLF line terminators	02020CE3D5A7EA8C68F7B36696C528BF	3E603A3710079AD149DD5EA8BB2469AF627ADC44	8C313E12003927FCB58AD878D023C48AE2C2C9540214474BCCF08F3EA69F5CC6
C:\Users\user\1_102\uvbdlqfvw.pif	PE32 executable (GUI) Intel 80386, for MS Windows	F28AA08788132E64DB4B8918EE2430B1	EF32B1023A89DC36D7C5E98E22845FE87C5EFEF2	F99B9FC041C177F0BEE2C82D09F451EF0833696111B1B37CBFFF8C975232ECE2
C:\Users\user\1_102\uwxfpkwog.ini	ASCII text, with CRLF line terminators	9D81DD0B5D9FE79559721E884F78492B	D063DACC1CF447688DB2C41A39A6FABC49DE153D	3CA9B80D0B2EDBD1D3607FBFE7248DE87D709A501ED65BDFDE9135344C6A8241
C:\Users\user\1_102\vhojmceu.bin	ASCII text, with CRLF line terminators	821E805D08EDD873377FC0CA32729010	1E2EC4347F8DC312A3CD311C884289822BE1EA24	418C1CDC6E4C4390C40553C1BE9F3538E66FFD0A4A07E9C68189EDC236435A8F
C:\Users\user\1_102\vmsrlgffxa.msc	ASCII text, with CRLF line terminators	122051DD2E0709DC66CF96C06A5842FA	A442F847EA150CAF49539C76C786DE0B9CB35C43	47D0C9B11F85B53747D72294B05FAF190C3AE828A44AE5AE389395957DC23755
C:\Users\user\1_102\wnjllkkup.msc	ASCII text, with CRLF line terminators	84FBE889CAEF2425B70B508FC31B2D89	8542F061AF96F7AC536A8BE0D957945156331510	14E3669B2D1F19D34FA4FA768FD2C46EA6143FDE7E7088837CFCCEC634876C94
C:\Users\user\1_102\wrtwnmt.xml	ASCII text, with CRLF line terminators	45F310DB4E5882B96E167BC0A0CFB404	2F52ED1C21B6DD37B8305F2E233695052CE66F75	26B6BE317995E8D8F8EDB7A5850D82E84A1BC0A86933F5D036045785E911A416
C:\Users\user\1_102\xfsxuexxqf.ini	ASCII text, with CRLF line terminators	7D14C20D5F7769CB1134A5B93ED86C4D	36B085BC62578C2C131A51909660904D581EAA7E	21401D62AF960094F327F17339FC728FABF55D2D6CEE7DB83EF347841B3803F3
C:\Users\user\1_102\xgenwdravq.dat	ASCII text, with CRLF line terminators	D235504FAD5543813D8F6085000405C8	065CCD6D02D3C84D3B1ED80181EE7A4D520D890E	3E0CAA187BD0AAB3E0C655816A962FC2DD62D8B3FD8B89C16C445EC7AB1E0B24
C:\Users\user\AppData\Local\Temp\RegSvcs.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	2867A3817C9245F7CF518524DFD18F28	D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC	43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
C:\Users\user\temp\qdmmn.ppt	ASCII text, with CRLF line terminators	92B11A1569E08C09D65D6E1F5B520085	280E847DA1277BE574B80FC019DFEBFABFD44A26	710CEA5D25746C27EA4213656B0EB48E624BB9DE488164CF966CC9A7F02DA2E4

Windows Analysis Report
INV_0893.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Windows Analysis Report INV_0893.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Windows Analysis Report
INV_0893.exe