Windows Analysis Report 98765434567890.exe

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: 98765434567890.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 98765434567890.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: 98765434567890.exe, 0000000E.00000001.1133762095.0000000000649000.00000008.00000001.01000000.00000006.sdmp
Source:	Binary string: mshtml.pdbUGP source: 98765434567890.exe, 0000000E.00000001.1133762095.0000000000649000.00000008.00000001.01000000.00000006.sdmp

Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_00406555 FindFirstFileW,FindClose,	2_2_00406555
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_00405A03 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	2_2_00405A03
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0040287E FindFirstFileW,	2_2_0040287E

Source: global traffic

TCP traffic: 192.168.11.20:49812 -> 103.131.61.194:80

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: 98765434567890.exe, 0000000E.00000002.5798409385.00000000018C7000.00000004.00000020.00020000.00000000.sdmp, 98765434567890.exe, 0000000E.00000002.5796006070.000000000187A000.00000004.00000020.00020000.00000000.sdmp, 98765434567890.exe, 0000000E.00000002.5798690471.00000000018CF000.00000004.00000020.00020000.00000000.sdmp, 98765434567890.exe, 0000000E.00000003.1619247609.00000000018D8000.00000004.00000020.00020000.00000000.sdmp, 98765434567890.exe, 0000000E.00000002.5799359649.00000000018EB000.00000004.00000020.00020000.00000000.sdmp, 98765434567890.exe, 0000000E.00000002.5799433414.00000000018ED000.00000004.00000020.00020000.00000000.sdmp, 98765434567890.exe, 0000000E.00000002.5797556527.00000000018AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bulungan.go.id/jnSMxRfpiTGW30.mdp
Source: 98765434567890.exe, 0000000E.00000002.5797556527.00000000018AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bulungan.go.id/jnSMxRfpiTGW30.mdp$M
Source: 98765434567890.exe, 0000000E.00000002.5798690471.00000000018CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bulungan.go.id/jnSMxRfpiTGW30.mdp.
Source: 98765434567890.exe, 0000000E.00000002.5796006070.000000000187A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bulungan.go.id/jnSMxRfpiTGW30.mdp32T7
Source: 98765434567890.exe, 0000000E.00000002.5797556527.00000000018AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bulungan.go.id/jnSMxRfpiTGW30.mdp3d
Source: 98765434567890.exe, 0000000E.00000002.5797556527.00000000018AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bulungan.go.id/jnSMxRfpiTGW30.mdpLJ%
Source: 98765434567890.exe, 0000000E.00000002.5798690471.00000000018CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bulungan.go.id/jnSMxRfpiTGW30.mdpW
Source: 98765434567890.exe, 0000000E.00000002.5797556527.00000000018AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bulungan.go.id/jnSMxRfpiTGW30.mdpXJ1
Source: 98765434567890.exe, 0000000E.00000002.5797556527.00000000018AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bulungan.go.id/jnSMxRfpiTGW30.mdpZ
Source: 98765434567890.exe, 0000000E.00000002.5796006070.000000000187A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bulungan.go.id/jnSMxRfpiTGW30.mdp_7d
Source: 98765434567890.exe, 0000000E.00000002.5797556527.00000000018AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bulungan.go.id/jnSMxRfpiTGW30.mdpdJ
Source: 98765434567890.exe, 0000000E.00000002.5797556527.00000000018AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bulungan.go.id/jnSMxRfpiTGW30.mdphJ
Source: 98765434567890.exe, 0000000E.00000002.5797556527.00000000018AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bulungan.go.id/jnSMxRfpiTGW30.mdpoV%
Source: 98765434567890.exe, 0000000E.00000002.5797556527.00000000018AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bulungan.go.id/jnSMxRfpiTGW30.mdppJ)
Source: 98765434567890.exe, 0000000E.00000002.5798690471.00000000018CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bulungan.go.id/jnSMxRfpiTGW30.mdpt
Source: 98765434567890.exe, 0000000E.00000001.1133762095.0000000000649000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
Source: 98765434567890.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 98765434567890.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: 98765434567890.exe	String found in binary or memory: http://s.symcd.com06
Source: 98765434567890.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: 98765434567890.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: 98765434567890.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: 98765434567890.exe, 0000000E.00000001.1133762095.0000000000649000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.gopher.ftp://ftp.
Source: 98765434567890.exe, 0000000E.00000001.1133580816.0000000000626000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
Source: 98765434567890.exe, 0000000E.00000001.1133308325.00000000005F2000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: 98765434567890.exe, 0000000E.00000001.1133308325.00000000005F2000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: 98765434567890.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: 98765434567890.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: 98765434567890.exe	String found in binary or memory: https://d.symcb.com/rpa0.
Source: 98765434567890.exe, 0000000E.00000001.1133762095.0000000000649000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214

Source: unknown

DNS traffic detected: queries for: bulungan.go.id

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\98765434567890.exe

Code function: 2_2_004054B0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

2_2_004054B0

Contains functionality to shutdown / reboot the system

Source: 98765434567890.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\98765434567890.exe

Code function: 2_2_0040344A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

Detected potential crypto function

Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_00404CED	2_2_00404CED
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_004068DA	2_2_004068DA
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034AF5DD	2_2_034AF5DD
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03490F45	2_2_03490F45
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03490344	2_2_03490344
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349135A	2_2_0349135A
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349375C	2_2_0349375C
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349AB50	2_2_0349AB50
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03499774	2_2_03499774
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03493B0E	2_2_03493B0E
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349D700	2_2_0349D700
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03493F04	2_2_03493F04
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034903CA	2_2_034903CA
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034AF7C2	2_2_034AF7C2
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034937C2	2_2_034937C2
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03498FC4	2_2_03498FC4
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03493BDD	2_2_03493BDD
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349DBFA	2_2_0349DBFA
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034913F4	2_2_034913F4
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03493B86	2_2_03493B86
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03490B96	2_2_03490B96
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034907AE	2_2_034907AE
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03493FAE	2_2_03493FAE
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034A67B8	2_2_034A67B8
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349364A	2_2_0349364A
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349324F	2_2_0349324F
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03490245	2_2_03490245
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03490A47	2_2_03490A47
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034B1E5B	2_2_034B1E5B
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03490E5C	2_2_03490E5C
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03493A51	2_2_03493A51
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03493E56	2_2_03493E56
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349DE78	2_2_0349DE78
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03491275	2_2_03491275
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034B520C	2_2_034B520C
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349D610	2_2_0349D610
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03499E26	2_2_03499E26
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03499234	2_2_03499234
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03499634	2_2_03499634
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034992C8	2_2_034992C8
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03490ECA	2_2_03490ECA
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034912CD	2_2_034912CD
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03490AEB	2_2_03490AEB
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034936EB	2_2_034936EB
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034932EF	2_2_034932EF
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349D2E4	2_2_0349D2E4
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034906F7	2_2_034906F7
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034B269F	2_2_034B269F
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03498EAC	2_2_03498EAC
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03493AAE	2_2_03493AAE
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03494140	2_2_03494140
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03499140	2_2_03499140
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03490542	2_2_03490542
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03493544	2_2_03493544
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03495146	2_2_03495146
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349395A	2_2_0349395A
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03499178	2_2_03499178
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03493173	2_2_03493173
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034B150A	2_2_034B150A
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349D50D	2_2_0349D50D
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03490128	2_2_03490128
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034B2929	2_2_034B2929
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349A92A	2_2_0349A92A
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03490922	2_2_03490922
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03490D39	2_2_03490D39
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03493D35	2_2_03493D35
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03498D34	2_2_03498D34
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03493936	2_2_03493936
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034909CE	2_2_034909CE
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034905DA	2_2_034905DA
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034995DE	2_2_034995DE
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034935D1	2_2_034935D1
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03493DE8	2_2_03493DE8
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034939EF	2_2_034939EF
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03498D96	2_2_03498D96
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034901B5	2_2_034901B5
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03493C4A	2_2_03493C4A
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349AC50	2_2_0349AC50
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03494057	2_2_03494057
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03490472	2_2_03490472
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349D80D	2_2_0349D80D
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03490001	2_2_03490001
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03490C04	2_2_03490C04
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349001C	2_2_0349001C
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03493415	2_2_03493415
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03493CC6	2_2_03493CC6
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034904D4	2_2_034904D4
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349D4EF	2_2_0349D4EF
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034930FC	2_2_034930FC
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034910F4	2_2_034910F4
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03490C98	2_2_03490C98
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03491497	2_2_03491497
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034934A9	2_2_034934A9
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034900AB	2_2_034900AB
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034AFCBF	2_2_034AFCBF
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034938B1	2_2_034938B1

Contains functionality to call native functions

Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034B390B NtProtectVirtualMemory,	2_2_034B390B
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034B4860 NtResumeThread,	2_2_034B4860
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 14_2_01664634 NtProtectVirtualMemory,	14_2_01664634
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 14_2_016646E8 NtProtectVirtualMemory,	14_2_016646E8
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 14_2_016646DF NtProtectVirtualMemory,	14_2_016646DF

Tries to load missing DLLs

Source: C:\Users\user\Desktop\98765434567890.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Users\user\Desktop\98765434567890.exe	Section loaded: edgegdi.dll			Jump to behavior

PE / OLE file has an invalid certificate

Source: 98765434567890.exe

Static PE information: invalid certificate

PE file contains more sections than normal

Source: libgiognutls.dll.2.dr

Static PE information: Number of sections : 11 > 10

Source: C:\Users\user\Desktop\98765434567890.exe

File read: C:\Users\user\Desktop\98765434567890.exe

Source: 98765434567890.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\98765434567890.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\98765434567890.exe C:\Users\user\Desktop\98765434567890.exe
Source: C:\Users\user\Desktop\98765434567890.exe	Process created: C:\Users\user\Desktop\98765434567890.exe C:\Users\user\Desktop\98765434567890.exe
Source: C:\Users\user\Desktop\98765434567890.exe	Process created: C:\Users\user\Desktop\98765434567890.exe C:\Users\user\Desktop\98765434567890.exe	Jump to behavior

Source: C:\Users\user\Desktop\98765434567890.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Users\user\Desktop\98765434567890.exe

Source: C:\Users\user\Desktop\98765434567890.exe

File created: C:\Users\user\AppData\Local\Temp\nsyF900.tmp

Source: classification engine

Classification label: mal60.troj.evad.winEXE@3/4@1/1

Source: C:\Users\user\Desktop\98765434567890.exe

Code function: 2_2_00402104 CoCreateInstance,

2_2_00402104

Source: C:\Users\user\Desktop\98765434567890.exe

File read: C:\Users\desktop.ini

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\98765434567890.exe

Code function: 2_2_00404771 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

2_2_00404771

Source: 98765434567890.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: 98765434567890.exe, 0000000E.00000001.1133762095.0000000000649000.00000008.00000001.01000000.00000006.sdmp
Source:	Binary string: mshtml.pdbUGP source: 98765434567890.exe, 0000000E.00000001.1133762095.0000000000649000.00000008.00000001.01000000.00000006.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 0000000E.00000000.1131062307.0000000001660000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1791187834.0000000003490000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_10002DE0 push eax; ret	2_2_10002E0E
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03496F4A push eax; ret	2_2_03496F49
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03494B93 push ebp; ret	2_2_03494B96
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034A2FAB push esp; iretd	2_2_034A2FD3
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03496E6E push eax; ret	2_2_03496F49
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034962A2 pushfd ; ret	2_2_034962A3
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349D161 push ebp; iretd	2_2_0349D162
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03496076 push ebp; iretd	2_2_03496078
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034974FE push ebp; retf	2_2_034974FF
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 14_2_01660B7B push ebp; ret	14_2_01660C45
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 14_2_01663744 push esp; retf	14_2_0166374E
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 14_2_01663246 push esp; retf	14_2_01663252
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 14_2_0166144D push esp; retf	14_2_0166144E

PE file contains sections with non-standard names

Source: libgiognutls.dll.2.dr

Static PE information: section name: .xdata

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\98765434567890.exe

Code function: 2_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

Stores files to the Windows start menu directory

Drops PE files

Source: C:\Users\user\Desktop\98765434567890.exe	File created: C:\Users\user\AppData\Local\Temp\nstFA69.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\98765434567890.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\X\Unsalty\libgiognutls.dll			Jump to dropped file

Source: C:\Users\user\Desktop\98765434567890.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93	Jump to behavior
Source: C:\Users\user\Desktop\98765434567890.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\antagonizing	Jump to behavior
Source: C:\Users\user\Desktop\98765434567890.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\antagonizing\Trespassage	Jump to behavior
Source: C:\Users\user\Desktop\98765434567890.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\antagonizing\Trespassage\Importprisernes.Qui	Jump to behavior
Source: C:\Users\user\Desktop\98765434567890.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\X	Jump to behavior
Source: C:\Users\user\Desktop\98765434567890.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\X\Unsalty	Jump to behavior
Source: C:\Users\user\Desktop\98765434567890.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\X\Unsalty\libgiognutls.dll	Jump to behavior
Source: C:\Users\user\Desktop\98765434567890.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\X\Unsalty\Epithem.Dre	Jump to behavior

Source: C:\Users\user\Desktop\98765434567890.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\98765434567890.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\98765434567890.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Users\user\Desktop\98765434567890.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\98765434567890.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\98765434567890.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\98765434567890.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\98765434567890.exe TID: 7816	Thread sleep count: 87 > 30			Jump to behavior
Source: C:\Users\user\Desktop\98765434567890.exe TID: 7816	Thread sleep time: -87000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\98765434567890.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\98765434567890.exe	Last function: Thread delayed

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\98765434567890.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\X\Unsalty\libgiognutls.dll

Jump to dropped file

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\98765434567890.exe

Code function: 2_2_03494749 rdtsc

Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_00406555 FindFirstFileW,FindClose,	2_2_00406555
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_00405A03 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	2_2_00405A03
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0040287E FindFirstFileW,	2_2_0040287E

Source: C:\Users\user\Desktop\98765434567890.exe

System information queried: ModuleInformation

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\98765434567890.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\98765434567890.exe	API call chain: ExitProcess graph end node

Source: 98765434567890.exe, 00000002.00000002.1792129439.0000000010059000.00000004.00000800.00020000.00000000.sdmp, 98765434567890.exe, 0000000E.00000002.5800306502.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: 98765434567890.exe, 00000002.00000002.1792129439.0000000010059000.00000004.00000800.00020000.00000000.sdmp, 98765434567890.exe, 0000000E.00000002.5800306502.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: 98765434567890.exe, 0000000E.00000002.5800306502.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: 98765434567890.exe, 00000002.00000002.1792129439.0000000010059000.00000004.00000800.00020000.00000000.sdmp, 98765434567890.exe, 0000000E.00000002.5800306502.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: 98765434567890.exe, 0000000E.00000002.5798690471.00000000018CF000.00000004.00000020.00020000.00000000.sdmp, 98765434567890.exe, 0000000E.00000003.1619247609.00000000018D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: 98765434567890.exe, 00000002.00000002.1792129439.0000000010059000.00000004.00000800.00020000.00000000.sdmp, 98765434567890.exe, 0000000E.00000002.5800306502.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: 98765434567890.exe, 00000002.00000002.1792129439.0000000010059000.00000004.00000800.00020000.00000000.sdmp, 98765434567890.exe, 0000000E.00000002.5800306502.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: 98765434567890.exe, 0000000E.00000002.5800306502.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: 98765434567890.exe, 0000000E.00000002.5796006070.000000000187A000.00000004.00000020.00020000.00000000.sdmp, 98765434567890.exe, 0000000E.00000002.5798690471.00000000018CF000.00000004.00000020.00020000.00000000.sdmp, 98765434567890.exe, 0000000E.00000003.1619247609.00000000018D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 98765434567890.exe, 00000002.00000002.1792129439.0000000010059000.00000004.00000800.00020000.00000000.sdmp, 98765434567890.exe, 0000000E.00000002.5800306502.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: 98765434567890.exe, 00000002.00000002.1792129439.0000000010059000.00000004.00000800.00020000.00000000.sdmp, 98765434567890.exe, 0000000E.00000002.5800306502.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: 98765434567890.exe, 00000002.00000002.1792129439.0000000010059000.00000004.00000800.00020000.00000000.sdmp, 98765434567890.exe, 0000000E.00000002.5800306502.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: 98765434567890.exe, 0000000E.00000002.5800306502.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Users\user\Desktop\98765434567890.exe

Code function: 2_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\98765434567890.exe

Code function: 2_2_03494749 rdtsc

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349DF36 mov ebx, dword ptr fs:[00000030h]	2_2_0349DF36
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349DBFA mov eax, dword ptr fs:[00000030h]	2_2_0349DBFA
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034A1788 mov eax, dword ptr fs:[00000030h]	2_2_034A1788
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349DE78 mov ebx, dword ptr fs:[00000030h]	2_2_0349DE78
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349DE78 mov eax, dword ptr fs:[00000030h]	2_2_0349DE78
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349DE18 mov eax, dword ptr fs:[00000030h]	2_2_0349DE18
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034B06CA mov eax, dword ptr fs:[00000030h]	2_2_034B06CA
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349DEC4 mov ebx, dword ptr fs:[00000030h]	2_2_0349DEC4
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349C686 mov eax, dword ptr fs:[00000030h]	2_2_0349C686
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034B2929 mov eax, dword ptr fs:[00000030h]	2_2_034B2929
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03498D96 mov eax, dword ptr fs:[00000030h]	2_2_03498D96
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349DC48 mov eax, dword ptr fs:[00000030h]	2_2_0349DC48
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349D4EF mov eax, dword ptr fs:[00000030h]	2_2_0349D4EF
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349DCA9 mov eax, dword ptr fs:[00000030h]	2_2_0349DCA9

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\98765434567890.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\98765434567890.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\98765434567890.exe

Code function: 2_2_034B073D LdrLoadDll,

2_2_034B073D

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\98765434567890.exe

Process created: C:\Users\user\Desktop\98765434567890.exe C:\Users\user\Desktop\98765434567890.exe

Source: C:\Users\user\Desktop\98765434567890.exe

Multi AV Scanner detection for domain / URL

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.131.61.194	bulungan.go.id	Indonesia		138126	IDNIC-NEWTON-AS-IDPTNEWTONCIPTAINFORMATIKAID	false

Contacted Domains

Name	IP	Active
bulungan.go.id	103.131.61.194	true

AV Detection

Source: bulungan.go.id

Virustotal: Detection: 10%

Perma Link

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: 98765434567890.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 98765434567890.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: 98765434567890.exe, 0000000E.00000001.1133762095.0000000000649000.00000008.00000001.01000000.00000006.sdmp
Source:	Binary string: mshtml.pdbUGP source: 98765434567890.exe, 0000000E.00000001.1133762095.0000000000649000.00000008.00000001.01000000.00000006.sdmp

Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_00406555 FindFirstFileW,FindClose,	2_2_00406555
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_00405A03 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	2_2_00405A03
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0040287E FindFirstFileW,	2_2_0040287E

Source: global traffic

TCP traffic: 192.168.11.20:49812 -> 103.131.61.194:80

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: 98765434567890.exe, 0000000E.00000002.5798409385.00000000018C7000.00000004.00000020.00020000.00000000.sdmp, 98765434567890.exe, 0000000E.00000002.5796006070.000000000187A000.00000004.00000020.00020000.00000000.sdmp, 98765434567890.exe, 0000000E.00000002.5798690471.00000000018CF000.00000004.00000020.00020000.00000000.sdmp, 98765434567890.exe, 0000000E.00000003.1619247609.00000000018D8000.00000004.00000020.00020000.00000000.sdmp, 98765434567890.exe, 0000000E.00000002.5799359649.00000000018EB000.00000004.00000020.00020000.00000000.sdmp, 98765434567890.exe, 0000000E.00000002.5799433414.00000000018ED000.00000004.00000020.00020000.00000000.sdmp, 98765434567890.exe, 0000000E.00000002.5797556527.00000000018AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bulungan.go.id/jnSMxRfpiTGW30.mdp
Source: 98765434567890.exe, 0000000E.00000002.5797556527.00000000018AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bulungan.go.id/jnSMxRfpiTGW30.mdp$M
Source: 98765434567890.exe, 0000000E.00000002.5798690471.00000000018CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bulungan.go.id/jnSMxRfpiTGW30.mdp.
Source: 98765434567890.exe, 0000000E.00000002.5796006070.000000000187A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bulungan.go.id/jnSMxRfpiTGW30.mdp32T7
Source: 98765434567890.exe, 0000000E.00000002.5797556527.00000000018AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bulungan.go.id/jnSMxRfpiTGW30.mdp3d
Source: 98765434567890.exe, 0000000E.00000002.5797556527.00000000018AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bulungan.go.id/jnSMxRfpiTGW30.mdpLJ%
Source: 98765434567890.exe, 0000000E.00000002.5798690471.00000000018CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bulungan.go.id/jnSMxRfpiTGW30.mdpW
Source: 98765434567890.exe, 0000000E.00000002.5797556527.00000000018AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bulungan.go.id/jnSMxRfpiTGW30.mdpXJ1
Source: 98765434567890.exe, 0000000E.00000002.5797556527.00000000018AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bulungan.go.id/jnSMxRfpiTGW30.mdpZ
Source: 98765434567890.exe, 0000000E.00000002.5796006070.000000000187A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bulungan.go.id/jnSMxRfpiTGW30.mdp_7d
Source: 98765434567890.exe, 0000000E.00000002.5797556527.00000000018AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bulungan.go.id/jnSMxRfpiTGW30.mdpdJ
Source: 98765434567890.exe, 0000000E.00000002.5797556527.00000000018AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bulungan.go.id/jnSMxRfpiTGW30.mdphJ
Source: 98765434567890.exe, 0000000E.00000002.5797556527.00000000018AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bulungan.go.id/jnSMxRfpiTGW30.mdpoV%
Source: 98765434567890.exe, 0000000E.00000002.5797556527.00000000018AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bulungan.go.id/jnSMxRfpiTGW30.mdppJ)
Source: 98765434567890.exe, 0000000E.00000002.5798690471.00000000018CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bulungan.go.id/jnSMxRfpiTGW30.mdpt
Source: 98765434567890.exe, 0000000E.00000001.1133762095.0000000000649000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
Source: 98765434567890.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 98765434567890.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: 98765434567890.exe	String found in binary or memory: http://s.symcd.com06
Source: 98765434567890.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: 98765434567890.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: 98765434567890.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: 98765434567890.exe, 0000000E.00000001.1133762095.0000000000649000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.gopher.ftp://ftp.
Source: 98765434567890.exe, 0000000E.00000001.1133580816.0000000000626000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
Source: 98765434567890.exe, 0000000E.00000001.1133308325.00000000005F2000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: 98765434567890.exe, 0000000E.00000001.1133308325.00000000005F2000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: 98765434567890.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: 98765434567890.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: 98765434567890.exe	String found in binary or memory: https://d.symcb.com/rpa0.
Source: 98765434567890.exe, 0000000E.00000001.1133762095.0000000000649000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214

Source: unknown

DNS traffic detected: queries for: bulungan.go.id

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\98765434567890.exe

2_2_004054B0

Contains functionality to shutdown / reboot the system

Source: 98765434567890.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\98765434567890.exe

Detected potential crypto function

Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_00404CED	2_2_00404CED
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_004068DA	2_2_004068DA
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034AF5DD	2_2_034AF5DD
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03490F45	2_2_03490F45
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03490344	2_2_03490344
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349135A	2_2_0349135A
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349375C	2_2_0349375C
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349AB50	2_2_0349AB50
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03499774	2_2_03499774
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03493B0E	2_2_03493B0E
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349D700	2_2_0349D700
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03493F04	2_2_03493F04
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034903CA	2_2_034903CA
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034AF7C2	2_2_034AF7C2
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034937C2	2_2_034937C2
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03498FC4	2_2_03498FC4
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03493BDD	2_2_03493BDD
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349DBFA	2_2_0349DBFA
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034913F4	2_2_034913F4
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03493B86	2_2_03493B86
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03490B96	2_2_03490B96
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034907AE	2_2_034907AE
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03493FAE	2_2_03493FAE
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034A67B8	2_2_034A67B8
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349364A	2_2_0349364A
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349324F	2_2_0349324F
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03490245	2_2_03490245
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03490A47	2_2_03490A47
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034B1E5B	2_2_034B1E5B
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03490E5C	2_2_03490E5C
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03493A51	2_2_03493A51
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03493E56	2_2_03493E56
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349DE78	2_2_0349DE78
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03491275	2_2_03491275
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034B520C	2_2_034B520C
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349D610	2_2_0349D610
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03499E26	2_2_03499E26
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03499234	2_2_03499234
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03499634	2_2_03499634
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034992C8	2_2_034992C8
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03490ECA	2_2_03490ECA
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034912CD	2_2_034912CD
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03490AEB	2_2_03490AEB
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034936EB	2_2_034936EB
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034932EF	2_2_034932EF
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349D2E4	2_2_0349D2E4
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034906F7	2_2_034906F7
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034B269F	2_2_034B269F
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03498EAC	2_2_03498EAC
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03493AAE	2_2_03493AAE
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03494140	2_2_03494140
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03499140	2_2_03499140
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03490542	2_2_03490542
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03493544	2_2_03493544
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03495146	2_2_03495146
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349395A	2_2_0349395A
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03499178	2_2_03499178
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03493173	2_2_03493173
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034B150A	2_2_034B150A
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349D50D	2_2_0349D50D
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03490128	2_2_03490128
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034B2929	2_2_034B2929
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349A92A	2_2_0349A92A
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03490922	2_2_03490922
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03490D39	2_2_03490D39
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03493D35	2_2_03493D35
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03498D34	2_2_03498D34
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03493936	2_2_03493936
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034909CE	2_2_034909CE
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034905DA	2_2_034905DA
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034995DE	2_2_034995DE
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034935D1	2_2_034935D1
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03493DE8	2_2_03493DE8
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034939EF	2_2_034939EF
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03498D96	2_2_03498D96
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034901B5	2_2_034901B5
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03493C4A	2_2_03493C4A
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349AC50	2_2_0349AC50
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03494057	2_2_03494057
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03490472	2_2_03490472
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349D80D	2_2_0349D80D
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03490001	2_2_03490001
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03490C04	2_2_03490C04
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349001C	2_2_0349001C
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03493415	2_2_03493415
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03493CC6	2_2_03493CC6
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034904D4	2_2_034904D4
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349D4EF	2_2_0349D4EF
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034930FC	2_2_034930FC
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034910F4	2_2_034910F4
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03490C98	2_2_03490C98
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03491497	2_2_03491497
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034934A9	2_2_034934A9
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034900AB	2_2_034900AB
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034AFCBF	2_2_034AFCBF
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034938B1	2_2_034938B1

Contains functionality to call native functions

Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034B390B NtProtectVirtualMemory,	2_2_034B390B
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034B4860 NtResumeThread,	2_2_034B4860
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 14_2_01664634 NtProtectVirtualMemory,	14_2_01664634
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 14_2_016646E8 NtProtectVirtualMemory,	14_2_016646E8
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 14_2_016646DF NtProtectVirtualMemory,	14_2_016646DF

Tries to load missing DLLs

Source: C:\Users\user\Desktop\98765434567890.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Users\user\Desktop\98765434567890.exe	Section loaded: edgegdi.dll			Jump to behavior

PE / OLE file has an invalid certificate

Source: 98765434567890.exe

Static PE information: invalid certificate

PE file contains more sections than normal

Source: libgiognutls.dll.2.dr

Static PE information: Number of sections : 11 > 10

Source: C:\Users\user\Desktop\98765434567890.exe

File read: C:\Users\user\Desktop\98765434567890.exe

Source: 98765434567890.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\98765434567890.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\98765434567890.exe C:\Users\user\Desktop\98765434567890.exe
Source: C:\Users\user\Desktop\98765434567890.exe	Process created: C:\Users\user\Desktop\98765434567890.exe C:\Users\user\Desktop\98765434567890.exe
Source: C:\Users\user\Desktop\98765434567890.exe	Process created: C:\Users\user\Desktop\98765434567890.exe C:\Users\user\Desktop\98765434567890.exe	Jump to behavior

Source: C:\Users\user\Desktop\98765434567890.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Users\user\Desktop\98765434567890.exe

Source: C:\Users\user\Desktop\98765434567890.exe

File created: C:\Users\user\AppData\Local\Temp\nsyF900.tmp

Source: classification engine

Classification label: mal60.troj.evad.winEXE@3/4@1/1

Source: C:\Users\user\Desktop\98765434567890.exe

Code function: 2_2_00402104 CoCreateInstance,

2_2_00402104

Source: C:\Users\user\Desktop\98765434567890.exe

File read: C:\Users\desktop.ini

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\98765434567890.exe

Code function: 2_2_00404771 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

2_2_00404771

Source: 98765434567890.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: 98765434567890.exe, 0000000E.00000001.1133762095.0000000000649000.00000008.00000001.01000000.00000006.sdmp
Source:	Binary string: mshtml.pdbUGP source: 98765434567890.exe, 0000000E.00000001.1133762095.0000000000649000.00000008.00000001.01000000.00000006.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 0000000E.00000000.1131062307.0000000001660000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1791187834.0000000003490000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_10002DE0 push eax; ret	2_2_10002E0E
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03496F4A push eax; ret	2_2_03496F49
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03494B93 push ebp; ret	2_2_03494B96
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034A2FAB push esp; iretd	2_2_034A2FD3
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03496E6E push eax; ret	2_2_03496F49
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034962A2 pushfd ; ret	2_2_034962A3
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349D161 push ebp; iretd	2_2_0349D162
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03496076 push ebp; iretd	2_2_03496078
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034974FE push ebp; retf	2_2_034974FF
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 14_2_01660B7B push ebp; ret	14_2_01660C45
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 14_2_01663744 push esp; retf	14_2_0166374E
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 14_2_01663246 push esp; retf	14_2_01663252
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 14_2_0166144D push esp; retf	14_2_0166144E

PE file contains sections with non-standard names

Source: libgiognutls.dll.2.dr

Static PE information: section name: .xdata

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\98765434567890.exe

Code function: 2_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

Stores files to the Windows start menu directory

Drops PE files

Source: C:\Users\user\Desktop\98765434567890.exe	File created: C:\Users\user\AppData\Local\Temp\nstFA69.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\98765434567890.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\X\Unsalty\libgiognutls.dll			Jump to dropped file

Source: C:\Users\user\Desktop\98765434567890.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93	Jump to behavior
Source: C:\Users\user\Desktop\98765434567890.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\antagonizing	Jump to behavior
Source: C:\Users\user\Desktop\98765434567890.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\antagonizing\Trespassage	Jump to behavior
Source: C:\Users\user\Desktop\98765434567890.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\antagonizing\Trespassage\Importprisernes.Qui	Jump to behavior
Source: C:\Users\user\Desktop\98765434567890.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\X	Jump to behavior
Source: C:\Users\user\Desktop\98765434567890.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\X\Unsalty	Jump to behavior
Source: C:\Users\user\Desktop\98765434567890.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\X\Unsalty\libgiognutls.dll	Jump to behavior
Source: C:\Users\user\Desktop\98765434567890.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\X\Unsalty\Epithem.Dre	Jump to behavior

Source: C:\Users\user\Desktop\98765434567890.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\98765434567890.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\98765434567890.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Users\user\Desktop\98765434567890.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\98765434567890.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\98765434567890.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\98765434567890.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\98765434567890.exe TID: 7816	Thread sleep count: 87 > 30			Jump to behavior
Source: C:\Users\user\Desktop\98765434567890.exe TID: 7816	Thread sleep time: -87000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\98765434567890.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\98765434567890.exe	Last function: Thread delayed

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\98765434567890.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\X\Unsalty\libgiognutls.dll

Jump to dropped file

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\98765434567890.exe

Code function: 2_2_03494749 rdtsc

Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_00406555 FindFirstFileW,FindClose,	2_2_00406555
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_00405A03 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	2_2_00405A03
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0040287E FindFirstFileW,	2_2_0040287E

Source: C:\Users\user\Desktop\98765434567890.exe

System information queried: ModuleInformation

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\98765434567890.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\98765434567890.exe	API call chain: ExitProcess graph end node

Source: 98765434567890.exe, 00000002.00000002.1792129439.0000000010059000.00000004.00000800.00020000.00000000.sdmp, 98765434567890.exe, 0000000E.00000002.5800306502.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: 98765434567890.exe, 00000002.00000002.1792129439.0000000010059000.00000004.00000800.00020000.00000000.sdmp, 98765434567890.exe, 0000000E.00000002.5800306502.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: 98765434567890.exe, 0000000E.00000002.5800306502.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: 98765434567890.exe, 00000002.00000002.1792129439.0000000010059000.00000004.00000800.00020000.00000000.sdmp, 98765434567890.exe, 0000000E.00000002.5800306502.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: 98765434567890.exe, 0000000E.00000002.5798690471.00000000018CF000.00000004.00000020.00020000.00000000.sdmp, 98765434567890.exe, 0000000E.00000003.1619247609.00000000018D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: 98765434567890.exe, 00000002.00000002.1792129439.0000000010059000.00000004.00000800.00020000.00000000.sdmp, 98765434567890.exe, 0000000E.00000002.5800306502.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: 98765434567890.exe, 00000002.00000002.1792129439.0000000010059000.00000004.00000800.00020000.00000000.sdmp, 98765434567890.exe, 0000000E.00000002.5800306502.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: 98765434567890.exe, 0000000E.00000002.5800306502.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: 98765434567890.exe, 0000000E.00000002.5796006070.000000000187A000.00000004.00000020.00020000.00000000.sdmp, 98765434567890.exe, 0000000E.00000002.5798690471.00000000018CF000.00000004.00000020.00020000.00000000.sdmp, 98765434567890.exe, 0000000E.00000003.1619247609.00000000018D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 98765434567890.exe, 00000002.00000002.1792129439.0000000010059000.00000004.00000800.00020000.00000000.sdmp, 98765434567890.exe, 0000000E.00000002.5800306502.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: 98765434567890.exe, 00000002.00000002.1792129439.0000000010059000.00000004.00000800.00020000.00000000.sdmp, 98765434567890.exe, 0000000E.00000002.5800306502.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: 98765434567890.exe, 00000002.00000002.1792129439.0000000010059000.00000004.00000800.00020000.00000000.sdmp, 98765434567890.exe, 0000000E.00000002.5800306502.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: 98765434567890.exe, 0000000E.00000002.5800306502.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Users\user\Desktop\98765434567890.exe

Code function: 2_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\98765434567890.exe

Code function: 2_2_03494749 rdtsc

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349DF36 mov ebx, dword ptr fs:[00000030h]	2_2_0349DF36
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349DBFA mov eax, dword ptr fs:[00000030h]	2_2_0349DBFA
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034A1788 mov eax, dword ptr fs:[00000030h]	2_2_034A1788
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349DE78 mov ebx, dword ptr fs:[00000030h]	2_2_0349DE78
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349DE78 mov eax, dword ptr fs:[00000030h]	2_2_0349DE78
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349DE18 mov eax, dword ptr fs:[00000030h]	2_2_0349DE18
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034B06CA mov eax, dword ptr fs:[00000030h]	2_2_034B06CA
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349DEC4 mov ebx, dword ptr fs:[00000030h]	2_2_0349DEC4
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349C686 mov eax, dword ptr fs:[00000030h]	2_2_0349C686
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_034B2929 mov eax, dword ptr fs:[00000030h]	2_2_034B2929
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_03498D96 mov eax, dword ptr fs:[00000030h]	2_2_03498D96
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349DC48 mov eax, dword ptr fs:[00000030h]	2_2_0349DC48
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349D4EF mov eax, dword ptr fs:[00000030h]	2_2_0349D4EF
Source: C:\Users\user\Desktop\98765434567890.exe	Code function: 2_2_0349DCA9 mov eax, dword ptr fs:[00000030h]	2_2_0349DCA9

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\98765434567890.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\98765434567890.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\98765434567890.exe

Code function: 2_2_034B073D LdrLoadDll,

2_2_034B073D

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\98765434567890.exe

Process created: C:\Users\user\Desktop\98765434567890.exe C:\Users\user\Desktop\98765434567890.exe

Source: C:\Users\user\Desktop\98765434567890.exe