Windows Analysis Report
POv5Nk1dlu.exe

Overview

General Information

Sample Name:	POv5Nk1dlu.exe
Analysis ID:	756107
MD5:	14e2d1b23a073724d63ce5c9c89091cd
SHA1:	000e55014fd09600275f5b394c5be51c2bf4dad9
SHA256:	cd64bfd3940f7aabd6a74ca47beba4ef1d19f6605dee0f64e5932765a3142fba
Tags:	exe
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Sigma detected: Drops script at startup location

Binary is likely a compiled AutoIt script file

Found API chain indicative of debugger detection

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Contains functionality to execute programs as a different user

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to launch a process as a different user

Stores files to the Windows start menu directory

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to read the clipboard data

Contains functionality to simulate keystroke presses

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Sample file is different than original file name gathered from version info

OS version to string mapping found (often used in BOTs)

Extensive use of GetProcAddress (often used to hide API calls)

Drops PE files

Tries to load missing DLLs

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to launch a program with higher privileges

Creates a start menu entry (Start Menu\Programs\Startup)

Potential key logger detected (key state polling based)

Contains functionality to retrieve information about pressed keystrokes

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to simulate mouse events

Found WSH timer for Javascript or VBS script (likely evasive script)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality for read data from the clipboard

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: POv5Nk1dlu.exe	ReversingLabs: Detection: 76%
Source: POv5Nk1dlu.exe	Virustotal: Detection: 73%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: POv5Nk1dlu.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\RDVGHelper\at.exe

Avira: detection malicious, Label: HEUR/AGEN.1245473

Uses 32bit PE files

Source: POv5Nk1dlu.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009BF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_009BF200
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009B4696 GetFileAttributesW,FindFirstFileW,FindClose,	2_2_009B4696
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009BC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_009BC9C7
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009BC93C FindFirstFileW,FindClose,	2_2_009BC93C
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009BF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_009BF35D
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009BF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_009BF65E
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009B3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_009B3A2B

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior

Source: at.exe, 00000002.00000002.358917443.00000000017B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bot.whatismyipaddress.com
Source: POv5Nk1dlu.exe, 00000000.00000002.316065070.0000000000DEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bot.whatismyipaddress.com6
Source: POv5Nk1dlu.exe, 00000000.00000002.316065070.0000000000DEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgmTime
Source: at.exe, 00000002.00000002.358917443.00000000017B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgmTimed
Source: at.exe, 00000002.00000002.358917443.00000000017B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.myexternalip.com/raw
Source: POv5Nk1dlu.exe, 00000000.00000002.316065070.0000000000DEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.myexternalip.com/raw/
Source: POv5Nk1dlu.exe, 00000000.00000002.316017878.0000000000DAD000.00000004.00000020.00020000.00000000.sdmp, at.exe, 00000002.00000002.358917443.00000000017B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_009C25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

2_2_009C25E2

Contains functionality to read the clipboard data

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_009C425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalFix,CloseClipboard,GlobalUnWire,IsClipboardFormatAvailable,GetClipboardData,GlobalFix,GlobalUnWire,IsClipboardFormatAvailable,GetClipboardData,GlobalFix,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnWire,CountClipboardFormats,CloseClipboard,

2_2_009C425A

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDCDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,6F83BC60,6F83AF40,SetCapture,ClientToScreen,6F83B190,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_00FDCDAC
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DCDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,6F83BC60,6F83AF40,SetCapture,ClientToScreen,6F83B190,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		2_2_009DCDAC

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

Code function: 0_2_00F52344 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,

0_2_00F52344

Contains functionality for read data from the clipboard

Source: C:\Users\user\RDVGHelper\at.exe

2_2_009C425A

System Summary

Binary is likely a compiled AutoIt script file

Source: POv5Nk1dlu.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: POv5Nk1dlu.exe, 00000000.00000003.304290006.0000000003598000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: POv5Nk1dlu.exe, 00000000.00000003.304290006.0000000003598000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: POv5Nk1dlu.exe, 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: POv5Nk1dlu.exe, 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: C:\Users\user\RDVGHelper\at.exe	Code function: This is a third-party compiled AutoIt script.	2_2_00953B4C
Source: at.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: at.exe, 00000002.00000000.346969623.0000000000A05000.00000080.00000001.01000000.00000007.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: at.exe, 00000002.00000000.346969623.0000000000A05000.00000080.00000001.01000000.00000007.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: at.exe, 00000002.00000003.350512567.0000000003CE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: at.exe, 00000002.00000003.350512567.0000000003CE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: POv5Nk1dlu.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: POv5Nk1dlu.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: at.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: at.exe.0.dr	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer

Uses 32bit PE files

Source: POv5Nk1dlu.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED

Yara signature match

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runas.url, type: DROPPED

Matched rule: Methodology_Suspicious_Shortcut_Local_URL author = @itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson), description = Detects local script usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_009B545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

2_2_009B545F

Detected potential crypto function

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F5E060	0_2_00F5E060
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F5E800	0_2_00F5E800
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F5FE40	0_2_00F5FE40
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F66843	0_2_00F66843
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FD804A	0_2_00FD804A
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F87006	0_2_00F87006
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F86522	0_2_00F86522
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F6710E	0_2_00F6710E
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F716C4	0_2_00F716C4
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F51287	0_2_00F51287
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F68A0E	0_2_00F68A0E
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F7BFE6	0_2_00F7BFE6
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F7DBB5	0_2_00F7DBB5
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_0095E060	2_2_0095E060
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_0095E800	2_2_0095E800
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_0095FE40	2_2_0095FE40
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009D804A	2_2_009D804A
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00964140	2_2_00964140
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00972405	2_2_00972405
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00986522	2_2_00986522
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_0098267E	2_2_0098267E
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009D0665	2_2_009D0665
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_0097283A	2_2_0097283A
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00966843	2_2_00966843
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009889DF	2_2_009889DF
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00986A94	2_2_00986A94
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009D0AE2	2_2_009D0AE2
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00968A0E	2_2_00968A0E
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009B8B13	2_2_009B8B13
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009AEB07	2_2_009AEB07
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_0097CD61	2_2_0097CD61
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00987006	2_2_00987006
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00963190	2_2_00963190
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_0096710E	2_2_0096710E
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00951287	2_2_00951287
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009733C7	2_2_009733C7
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_0097F419	2_2_0097F419
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00965680	2_2_00965680
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009716C4	2_2_009716C4
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009778D3	2_2_009778D3
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009658C0	2_2_009658C0
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_0097DBB5	2_2_0097DBB5
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00971BB8	2_2_00971BB8

Found potential string decryption / allocating functions

Source: C:\Users\user\RDVGHelper\at.exe	Code function: String function: 00957F41 appears 33 times
Source: C:\Users\user\RDVGHelper\at.exe	Code function: String function: 00970D27 appears 65 times
Source: C:\Users\user\RDVGHelper\at.exe	Code function: String function: 00978B40 appears 36 times

Contains functionality to launch a process as a different user

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_009A8858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,731F6290,731F7BC0,CreateProcessAsUserW,731F5000,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,731F7C20,

2_2_009A8858

Contains functionality to call native functions

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F53633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	0_2_00F53633
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDC8EE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	0_2_00FDC8EE
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDC49C PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	0_2_00FDC49C
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F5189B NtdllDialogWndProc_W,	0_2_00F5189B
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDC86D SendMessageW,NtdllDialogWndProc_W,	0_2_00FDC86D
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDCC2E ClientToScreen,6F83B270,NtdllDialogWndProc_W,	0_2_00FDCC2E
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDCDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,6F83BC60,6F83AF40,SetCapture,ClientToScreen,6F83B190,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	0_2_00FDCDAC
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDCD6C GetWindowLongW,NtdllDialogWndProc_W,	0_2_00FDCD6C
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F516DE GetParent,NtdllDialogWndProc_W,	0_2_00F516DE
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDD6C6 NtdllDialogWndProc_W,	0_2_00FDD6C6
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F516B5 NtdllDialogWndProc_W,	0_2_00F516B5
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F51290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,	0_2_00F51290
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDDA9A NtdllDialogWndProc_W,	0_2_00FDDA9A
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F51287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,73324310,NtdllDialogWndProc_W,	0_2_00F51287
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDC27C 6F83B200,6F83B5E0,ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	0_2_00FDC27C
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F5167D NtdllDialogWndProc_W,	0_2_00F5167D
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDC220 NtdllDialogWndProc_W,	0_2_00FDC220
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDCBF9 NtdllDialogWndProc_W,	0_2_00FDCBF9
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDCBAE NtdllDialogWndProc_W,	0_2_00FDCBAE
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDC788 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	0_2_00FDC788
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDCB7F NtdllDialogWndProc_W,	0_2_00FDCB7F
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDCB50 NtdllDialogWndProc_W,	0_2_00FDCB50
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDD74C GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	0_2_00FDD74C
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00953633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	2_2_00953633
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DC220 NtdllDialogWndProc_W,	2_2_009DC220
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DC27C 6F83B200,6F83B5E0,ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	2_2_009DC27C
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DC49C PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	2_2_009DC49C
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DC788 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	2_2_009DC788
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DC8EE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	2_2_009DC8EE
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DC86D SendMessageW,NtdllDialogWndProc_W,	2_2_009DC86D
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DCBAE NtdllDialogWndProc_W,	2_2_009DCBAE
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DCBF9 NtdllDialogWndProc_W,	2_2_009DCBF9
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DCB50 NtdllDialogWndProc_W,	2_2_009DCB50
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DCB7F NtdllDialogWndProc_W,	2_2_009DCB7F
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DCC2E ClientToScreen,6F83B270,NtdllDialogWndProc_W,	2_2_009DCC2E
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DCDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,6F83BC60,6F83AF40,SetCapture,ClientToScreen,6F83B190,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	2_2_009DCDAC
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DCD6C GetWindowLongW,NtdllDialogWndProc_W,	2_2_009DCD6C
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00951290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,	2_2_00951290
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00951287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,73324310,NtdllDialogWndProc_W,	2_2_00951287
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009516B5 NtdllDialogWndProc_W,	2_2_009516B5
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009516DE GetParent,NtdllDialogWndProc_W,	2_2_009516DE
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DD6C6 NtdllDialogWndProc_W,	2_2_009DD6C6
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_0095167D NtdllDialogWndProc_W,	2_2_0095167D
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DD74C GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	2_2_009DD74C
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_0095189B NtdllDialogWndProc_W,	2_2_0095189B
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DDA9A NtdllDialogWndProc_W,	2_2_009DDA9A

Contains functionality to communicate with device drivers

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_009B40B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,

2_2_009B40B1

Sample file is different than original file name gathered from version info

Source: POv5Nk1dlu.exe, 00000000.00000003.305755579.00000000034A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewinresume2 vs POv5Nk1dlu.exe
Source: POv5Nk1dlu.exe, 00000000.00000003.303502621.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewinresume2 vs POv5Nk1dlu.exe
Source: POv5Nk1dlu.exe, 00000000.00000002.315183078.0000000000B90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAME1 vs POv5Nk1dlu.exe
Source: POv5Nk1dlu.exe, 00000000.00000002.315295636.0000000000C16000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAME vs POv5Nk1dlu.exe
Source: POv5Nk1dlu.exe, 00000000.00000002.315295636.0000000000C16000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs POv5Nk1dlu.exe
Source: POv5Nk1dlu.exe, 00000000.00000000.301657715.000000000106B000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamewinresume2 vs POv5Nk1dlu.exe
Source: POv5Nk1dlu.exe, 00000000.00000002.315224332.0000000000BBF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewinresume2 vs POv5Nk1dlu.exe
Source: POv5Nk1dlu.exe, 00000000.00000003.302533451.0000000000C16000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAME vs POv5Nk1dlu.exe
Source: POv5Nk1dlu.exe, 00000000.00000003.302533451.0000000000C16000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs POv5Nk1dlu.exe
Source: POv5Nk1dlu.exe, 00000000.00000003.302345223.0000000000B9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAME vs POv5Nk1dlu.exe
Source: POv5Nk1dlu.exe, 00000000.00000003.302345223.0000000000B9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs POv5Nk1dlu.exe
Source: POv5Nk1dlu.exe	Binary or memory string: OriginalFilenamewinresume2 vs POv5Nk1dlu.exe

Tries to load missing DLLs

Source: C:\Windows\System32\wscript.exe

Section loaded: sfc.dll

Jump to behavior

Source: POv5Nk1dlu.exe	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: at.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: POv5Nk1dlu.exe	ReversingLabs: Detection: 76%
Source: POv5Nk1dlu.exe	Virustotal: Detection: 73%

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

File read: C:\Users\user\Desktop\POv5Nk1dlu.exe

Jump to behavior

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\POv5Nk1dlu.exe C:\Users\user\Desktop\POv5Nk1dlu.exe
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\RDVGHelper\runas.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\RDVGHelper\at.exe "C:\Users\user\RDVGHelper\at.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\RDVGHelper\at.exe "C:\Users\user\RDVGHelper\at.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009A8713 AdjustTokenPrivileges,CloseHandle,		2_2_009A8713
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009A8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		2_2_009A8CC3

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

File created: C:\Users\user\RDVGHelper

Jump to behavior

Source: classification engine

Classification label: mal84.expl.evad.winEXE@4/3@0/0

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_009BB59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

2_2_009BB59E

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

Code function: 0_2_00FBA2D5 GetLastError,FormatMessageW,

0_2_00FBA2D5

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

Code function: 0_2_00FB3E91 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00FB3E91

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_00954FE9 76DCC0F0,FindResourceExW,LoadResource,SizeofResource,LockResource,

2_2_00954FE9

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\RDVGHelper\runas.vbs"

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Automated click: OK
Source: C:\Users\user\RDVGHelper\at.exe	Automated click: OK

Source: POv5Nk1dlu.exe

Static file information: File size 1348104 > 1048576

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F78B85 push ecx; ret		0_2_00F78B98
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00978B85 push ecx; ret		2_2_00978B98

PE file contains sections with non-standard names

Source: POv5Nk1dlu.exe	Static PE information: section name: .imports
Source: at.exe.0.dr	Static PE information: section name: .imports

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

Code function: 0_2_00F54D61 LoadLibraryA,GetProcAddress,

0_2_00F54D61

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Drops PE files

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

File created: C:\Users\user\RDVGHelper\at.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\wscript.exe

Process created: C:\Users\user\RDVGHelper\at.exe "C:\Users\user\RDVGHelper\at.exe"

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runas.url

Jump to behavior

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runas.url

Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F54A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_00F54A35
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00954A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	2_2_00954A35
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009D55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	2_2_009D55FD

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_009733C7 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_009733C7

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\RDVGHelper\at.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\RDVGHelper\at.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	API coverage: 6.2 %
Source: C:\Users\user\RDVGHelper\at.exe	API coverage: 5.6 %

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_00954AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

2_2_00954AFE

Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009BF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_009BF200
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009B4696 GetFileAttributesW,FindFirstFileW,FindClose,	2_2_009B4696
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009BC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_009BC9C7
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009BC93C FindFirstFileW,FindClose,	2_2_009BC93C
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009BF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_009BF35D
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009BF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_009BF65E
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009B3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_009B3A2B

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

Code function: 0_2_00F85CCC RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,MessageBoxW,

0_2_00F85CCC

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

0_2_00F85CCC

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

Code function: 0_2_00F54D61 LoadLibraryA,GetProcAddress,

0_2_00F54D61

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_009A81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

2_2_009A81F7

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_009C41FD BlockInput,

2_2_009C41FD

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F7A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F7A395
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_0097A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0097A395
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_0097A364 SetUnhandledExceptionFilter,	2_2_0097A364

Contains functionality to execute programs as a different user

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_009A8C93 LogonUserW,

2_2_009A8C93

Contains functionality to simulate keystroke presses

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

Code function: 0_2_00F54A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00F54A35

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_00953B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

2_2_00953B4C

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe

Process created: C:\Users\user\RDVGHelper\at.exe "C:\Users\user\RDVGHelper\at.exe"

Jump to behavior

Contains functionality to simulate mouse events

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_009B4EC9 mouse_event,

2_2_009B4EC9

Source: C:\Users\user\RDVGHelper\at.exe

2_2_009A81F7

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_009B4C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

2_2_009B4C03

Source: POv5Nk1dlu.exe, at.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: POv5Nk1dlu.exe, at.exe	Binary or memory string: Shell_TrayWnd

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_0097886B cpuid

2_2_0097886B

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

Code function: 0_2_00F850D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00F850D7

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_0098418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

2_2_0098418A

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_00954AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

2_2_00954AFE

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_00992230 GetUserNameW,

2_2_00992230

OS version to string mapping found (often used in BOTs)

Source: at.exe	Binary or memory string: WIN_81
Source: at.exe	Binary or memory string: WIN_XP
Source: at.exe, 00000002.00000002.358422252.0000000001607000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIN_XP&
Source: at.exe	Binary or memory string: WIN_XPe
Source: at.exe	Binary or memory string: WIN_VISTA
Source: POv5Nk1dlu.exe, 00000000.00000003.302345223.0000000000B9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIN_XP3r\
Source: at.exe	Binary or memory string: WIN_7
Source: at.exe	Binary or memory string: WIN_8
Source: at.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009C6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		2_2_009C6596
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009C6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		2_2_009C6A5A

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Multi AV Scanner detection for submitted file

Source: POv5Nk1dlu.exe	ReversingLabs: Detection: 76%
Source: POv5Nk1dlu.exe	Virustotal: Detection: 73%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: POv5Nk1dlu.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\RDVGHelper\at.exe

Avira: detection malicious, Label: HEUR/AGEN.1245473

Uses 32bit PE files

Source: POv5Nk1dlu.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009BF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_009BF200
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009B4696 GetFileAttributesW,FindFirstFileW,FindClose,	2_2_009B4696
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009BC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_009BC9C7
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009BC93C FindFirstFileW,FindClose,	2_2_009BC93C
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009BF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_009BF35D
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009BF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_009BF65E
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009B3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_009B3A2B

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior

Source: at.exe, 00000002.00000002.358917443.00000000017B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bot.whatismyipaddress.com
Source: POv5Nk1dlu.exe, 00000000.00000002.316065070.0000000000DEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bot.whatismyipaddress.com6
Source: POv5Nk1dlu.exe, 00000000.00000002.316065070.0000000000DEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgmTime
Source: at.exe, 00000002.00000002.358917443.00000000017B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgmTimed
Source: at.exe, 00000002.00000002.358917443.00000000017B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.myexternalip.com/raw
Source: POv5Nk1dlu.exe, 00000000.00000002.316065070.0000000000DEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.myexternalip.com/raw/
Source: POv5Nk1dlu.exe, 00000000.00000002.316017878.0000000000DAD000.00000004.00000020.00020000.00000000.sdmp, at.exe, 00000002.00000002.358917443.00000000017B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_009C25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

2_2_009C25E2

Contains functionality to read the clipboard data

Source: C:\Users\user\RDVGHelper\at.exe

2_2_009C425A

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDCDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,6F83BC60,6F83AF40,SetCapture,ClientToScreen,6F83B190,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_00FDCDAC
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DCDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,6F83BC60,6F83AF40,SetCapture,ClientToScreen,6F83B190,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		2_2_009DCDAC

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

Code function: 0_2_00F52344 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,

0_2_00F52344

Contains functionality for read data from the clipboard

Source: C:\Users\user\RDVGHelper\at.exe

2_2_009C425A

System Summary

Binary is likely a compiled AutoIt script file

Source: POv5Nk1dlu.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: POv5Nk1dlu.exe, 00000000.00000003.304290006.0000000003598000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: POv5Nk1dlu.exe, 00000000.00000003.304290006.0000000003598000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: POv5Nk1dlu.exe, 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: POv5Nk1dlu.exe, 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: C:\Users\user\RDVGHelper\at.exe	Code function: This is a third-party compiled AutoIt script.	2_2_00953B4C
Source: at.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: at.exe, 00000002.00000000.346969623.0000000000A05000.00000080.00000001.01000000.00000007.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: at.exe, 00000002.00000000.346969623.0000000000A05000.00000080.00000001.01000000.00000007.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: at.exe, 00000002.00000003.350512567.0000000003CE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: at.exe, 00000002.00000003.350512567.0000000003CE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: POv5Nk1dlu.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: POv5Nk1dlu.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: at.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: at.exe.0.dr	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer

Uses 32bit PE files

Source: POv5Nk1dlu.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED

Yara signature match

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runas.url, type: DROPPED

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_009B545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

2_2_009B545F

Detected potential crypto function

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F5E060	0_2_00F5E060
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F5E800	0_2_00F5E800
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F5FE40	0_2_00F5FE40
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F66843	0_2_00F66843
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FD804A	0_2_00FD804A
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F87006	0_2_00F87006
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F86522	0_2_00F86522
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F6710E	0_2_00F6710E
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F716C4	0_2_00F716C4
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F51287	0_2_00F51287
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F68A0E	0_2_00F68A0E
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F7BFE6	0_2_00F7BFE6
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F7DBB5	0_2_00F7DBB5
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_0095E060	2_2_0095E060
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_0095E800	2_2_0095E800
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_0095FE40	2_2_0095FE40
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009D804A	2_2_009D804A
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00964140	2_2_00964140
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00972405	2_2_00972405
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00986522	2_2_00986522
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_0098267E	2_2_0098267E
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009D0665	2_2_009D0665
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_0097283A	2_2_0097283A
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00966843	2_2_00966843
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009889DF	2_2_009889DF
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00986A94	2_2_00986A94
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009D0AE2	2_2_009D0AE2
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00968A0E	2_2_00968A0E
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009B8B13	2_2_009B8B13
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009AEB07	2_2_009AEB07
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_0097CD61	2_2_0097CD61
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00987006	2_2_00987006
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00963190	2_2_00963190
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_0096710E	2_2_0096710E
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00951287	2_2_00951287
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009733C7	2_2_009733C7
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_0097F419	2_2_0097F419
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00965680	2_2_00965680
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009716C4	2_2_009716C4
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009778D3	2_2_009778D3
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009658C0	2_2_009658C0
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_0097DBB5	2_2_0097DBB5
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00971BB8	2_2_00971BB8

Found potential string decryption / allocating functions

Source: C:\Users\user\RDVGHelper\at.exe	Code function: String function: 00957F41 appears 33 times
Source: C:\Users\user\RDVGHelper\at.exe	Code function: String function: 00970D27 appears 65 times
Source: C:\Users\user\RDVGHelper\at.exe	Code function: String function: 00978B40 appears 36 times

Contains functionality to launch a process as a different user

Source: C:\Users\user\RDVGHelper\at.exe

2_2_009A8858

Contains functionality to call native functions

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F53633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	0_2_00F53633
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDC8EE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	0_2_00FDC8EE
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDC49C PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	0_2_00FDC49C
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F5189B NtdllDialogWndProc_W,	0_2_00F5189B
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDC86D SendMessageW,NtdllDialogWndProc_W,	0_2_00FDC86D
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDCC2E ClientToScreen,6F83B270,NtdllDialogWndProc_W,	0_2_00FDCC2E
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDCDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,6F83BC60,6F83AF40,SetCapture,ClientToScreen,6F83B190,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	0_2_00FDCDAC
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDCD6C GetWindowLongW,NtdllDialogWndProc_W,	0_2_00FDCD6C
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F516DE GetParent,NtdllDialogWndProc_W,	0_2_00F516DE
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDD6C6 NtdllDialogWndProc_W,	0_2_00FDD6C6
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F516B5 NtdllDialogWndProc_W,	0_2_00F516B5
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F51290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,	0_2_00F51290
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDDA9A NtdllDialogWndProc_W,	0_2_00FDDA9A
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F51287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,73324310,NtdllDialogWndProc_W,	0_2_00F51287
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDC27C 6F83B200,6F83B5E0,ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	0_2_00FDC27C
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F5167D NtdllDialogWndProc_W,	0_2_00F5167D
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDC220 NtdllDialogWndProc_W,	0_2_00FDC220
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDCBF9 NtdllDialogWndProc_W,	0_2_00FDCBF9
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDCBAE NtdllDialogWndProc_W,	0_2_00FDCBAE
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDC788 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	0_2_00FDC788
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDCB7F NtdllDialogWndProc_W,	0_2_00FDCB7F
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDCB50 NtdllDialogWndProc_W,	0_2_00FDCB50
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDD74C GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	0_2_00FDD74C
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00953633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	2_2_00953633
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DC220 NtdllDialogWndProc_W,	2_2_009DC220
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DC27C 6F83B200,6F83B5E0,ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	2_2_009DC27C
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DC49C PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	2_2_009DC49C
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DC788 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	2_2_009DC788
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DC8EE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	2_2_009DC8EE
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DC86D SendMessageW,NtdllDialogWndProc_W,	2_2_009DC86D
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DCBAE NtdllDialogWndProc_W,	2_2_009DCBAE
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DCBF9 NtdllDialogWndProc_W,	2_2_009DCBF9
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DCB50 NtdllDialogWndProc_W,	2_2_009DCB50
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DCB7F NtdllDialogWndProc_W,	2_2_009DCB7F
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DCC2E ClientToScreen,6F83B270,NtdllDialogWndProc_W,	2_2_009DCC2E
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DCDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,6F83BC60,6F83AF40,SetCapture,ClientToScreen,6F83B190,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	2_2_009DCDAC
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DCD6C GetWindowLongW,NtdllDialogWndProc_W,	2_2_009DCD6C
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00951290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,	2_2_00951290
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00951287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,73324310,NtdllDialogWndProc_W,	2_2_00951287
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009516B5 NtdllDialogWndProc_W,	2_2_009516B5
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009516DE GetParent,NtdllDialogWndProc_W,	2_2_009516DE
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DD6C6 NtdllDialogWndProc_W,	2_2_009DD6C6
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_0095167D NtdllDialogWndProc_W,	2_2_0095167D
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DD74C GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	2_2_009DD74C
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_0095189B NtdllDialogWndProc_W,	2_2_0095189B
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DDA9A NtdllDialogWndProc_W,	2_2_009DDA9A

Contains functionality to communicate with device drivers

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_009B40B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,

2_2_009B40B1

Sample file is different than original file name gathered from version info

Source: POv5Nk1dlu.exe, 00000000.00000003.305755579.00000000034A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewinresume2 vs POv5Nk1dlu.exe
Source: POv5Nk1dlu.exe, 00000000.00000003.303502621.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewinresume2 vs POv5Nk1dlu.exe
Source: POv5Nk1dlu.exe, 00000000.00000002.315183078.0000000000B90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAME1 vs POv5Nk1dlu.exe
Source: POv5Nk1dlu.exe, 00000000.00000002.315295636.0000000000C16000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAME vs POv5Nk1dlu.exe
Source: POv5Nk1dlu.exe, 00000000.00000002.315295636.0000000000C16000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs POv5Nk1dlu.exe
Source: POv5Nk1dlu.exe, 00000000.00000000.301657715.000000000106B000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamewinresume2 vs POv5Nk1dlu.exe
Source: POv5Nk1dlu.exe, 00000000.00000002.315224332.0000000000BBF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewinresume2 vs POv5Nk1dlu.exe
Source: POv5Nk1dlu.exe, 00000000.00000003.302533451.0000000000C16000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAME vs POv5Nk1dlu.exe
Source: POv5Nk1dlu.exe, 00000000.00000003.302533451.0000000000C16000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs POv5Nk1dlu.exe
Source: POv5Nk1dlu.exe, 00000000.00000003.302345223.0000000000B9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAME vs POv5Nk1dlu.exe
Source: POv5Nk1dlu.exe, 00000000.00000003.302345223.0000000000B9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs POv5Nk1dlu.exe
Source: POv5Nk1dlu.exe	Binary or memory string: OriginalFilenamewinresume2 vs POv5Nk1dlu.exe

Tries to load missing DLLs

Source: C:\Windows\System32\wscript.exe

Section loaded: sfc.dll

Jump to behavior

Source: POv5Nk1dlu.exe	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: at.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: POv5Nk1dlu.exe	ReversingLabs: Detection: 76%
Source: POv5Nk1dlu.exe	Virustotal: Detection: 73%

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

File read: C:\Users\user\Desktop\POv5Nk1dlu.exe

Jump to behavior

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\POv5Nk1dlu.exe C:\Users\user\Desktop\POv5Nk1dlu.exe
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\RDVGHelper\runas.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\RDVGHelper\at.exe "C:\Users\user\RDVGHelper\at.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\RDVGHelper\at.exe "C:\Users\user\RDVGHelper\at.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009A8713 AdjustTokenPrivileges,CloseHandle,		2_2_009A8713
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009A8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		2_2_009A8CC3

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

File created: C:\Users\user\RDVGHelper

Jump to behavior

Source: classification engine

Classification label: mal84.expl.evad.winEXE@4/3@0/0

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_009BB59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

2_2_009BB59E

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

Code function: 0_2_00FBA2D5 GetLastError,FormatMessageW,

0_2_00FBA2D5

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

Code function: 0_2_00FB3E91 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00FB3E91

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_00954FE9 76DCC0F0,FindResourceExW,LoadResource,SizeofResource,LockResource,

2_2_00954FE9

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\RDVGHelper\runas.vbs"

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Automated click: OK
Source: C:\Users\user\RDVGHelper\at.exe	Automated click: OK

Source: POv5Nk1dlu.exe

Static file information: File size 1348104 > 1048576

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F78B85 push ecx; ret		0_2_00F78B98
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00978B85 push ecx; ret		2_2_00978B98

PE file contains sections with non-standard names

Source: POv5Nk1dlu.exe	Static PE information: section name: .imports
Source: at.exe.0.dr	Static PE information: section name: .imports

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

Code function: 0_2_00F54D61 LoadLibraryA,GetProcAddress,

0_2_00F54D61

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Drops PE files

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

File created: C:\Users\user\RDVGHelper\at.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\wscript.exe

Process created: C:\Users\user\RDVGHelper\at.exe "C:\Users\user\RDVGHelper\at.exe"

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runas.url

Jump to behavior

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runas.url

Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F54A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_00F54A35
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00954A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	2_2_00954A35
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009D55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	2_2_009D55FD

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\RDVGHelper\at.exe

2_2_009733C7

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\RDVGHelper\at.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\RDVGHelper\at.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	API coverage: 6.2 %
Source: C:\Users\user\RDVGHelper\at.exe	API coverage: 5.6 %

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_00954AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

2_2_00954AFE

Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009BF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_009BF200
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009B4696 GetFileAttributesW,FindFirstFileW,FindClose,	2_2_009B4696
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009BC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_009BC9C7
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009BC93C FindFirstFileW,FindClose,	2_2_009BC93C
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009BF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_009BF35D
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009BF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_009BF65E
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009B3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_009B3A2B

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

0_2_00F85CCC

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

0_2_00F85CCC

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

Code function: 0_2_00F54D61 LoadLibraryA,GetProcAddress,

0_2_00F54D61

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\RDVGHelper\at.exe

2_2_009A81F7

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_009C41FD BlockInput,

2_2_009C41FD

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F7A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F7A395
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_0097A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0097A395
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_0097A364 SetUnhandledExceptionFilter,	2_2_0097A364

Contains functionality to execute programs as a different user

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_009A8C93 LogonUserW,

2_2_009A8C93

Contains functionality to simulate keystroke presses

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

0_2_00F54A35

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_00953B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

2_2_00953B4C

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe

Process created: C:\Users\user\RDVGHelper\at.exe "C:\Users\user\RDVGHelper\at.exe"

Jump to behavior

Contains functionality to simulate mouse events

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_009B4EC9 mouse_event,

2_2_009B4EC9

Source: C:\Users\user\RDVGHelper\at.exe

2_2_009A81F7

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_009B4C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

2_2_009B4C03

Source: POv5Nk1dlu.exe, at.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: POv5Nk1dlu.exe, at.exe	Binary or memory string: Shell_TrayWnd

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_0097886B cpuid

2_2_0097886B

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

Code function: 0_2_00F850D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00F850D7

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_0098418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

2_2_0098418A

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_00954AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

2_2_00954AFE

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_00992230 GetUserNameW,

2_2_00992230

OS version to string mapping found (often used in BOTs)

Source: at.exe	Binary or memory string: WIN_81
Source: at.exe	Binary or memory string: WIN_XP
Source: at.exe, 00000002.00000002.358422252.0000000001607000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIN_XP&
Source: at.exe	Binary or memory string: WIN_XPe
Source: at.exe	Binary or memory string: WIN_VISTA
Source: POv5Nk1dlu.exe, 00000000.00000003.302345223.0000000000B9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIN_XP3r\
Source: at.exe	Binary or memory string: WIN_7
Source: at.exe	Binary or memory string: WIN_8
Source: at.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009C6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		2_2_009C6596
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009C6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		2_2_009C6A5A

ID:	756107
Product:	CloudBasic
Start time:	16:40:49
Start date:	29.11.2022
Sample:	POv5Nk1dlu.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	14e2d1b23a073724d63ce5c9c89091cd
SHA1:	000e55014fd09600275f5b394c5be51c2bf4dad9
SHA256:	cd64bfd3940f7aabd6a74ca47beba4ef1d19f6605dee0f64e5932765a3142fba
Filetype:	Win32 Executable (generic) a (10002005/4) 99.39%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runas.url	Generic INItialization configuration [InternetShortcut]	A84D228A61B08792024FF4337CC606F6	92DD57483FFF604A9848EDF1B060EB9BD11D6C42	8CA3F2A55F27D106D5521C66C109B98CF9A13EAD480A46AA8F3906E1DD645F9B
C:\Users\user\RDVGHelper\at.exe	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed	8B5794337FDF61005D3F079A792B0AA1	61FAEBE8AB40D8C124AC8A5D060964EB9AF877A8	184491C39AC7E31E86978E965583BEB6D692885B27C91003EF497A53CED6D70C
C:\Users\user\RDVGHelper\runas.vbs	ASCII text, with CRLF line terminators	2372F2EE2222AB931284A8D08A10C318	C5DED8E64290FE4C74BC5FBADCCDF0BCAA5C6C7F	E791FD8D094533E9CCA63CF23B8BEB8AB8F0E2F447BE2FDF1EE1B3B5A1DFD988

Windows Analysis Report
POv5Nk1dlu.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report POv5Nk1dlu.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
POv5Nk1dlu.exe