Windows Analysis Report
09212399.exe

Overview

General Information

Sample Name:	09212399.exe
Analysis ID:	877002
MD5:	57dd320eae0fadd155619407c8b5313c
SHA1:	fc2ce4b86d64025dbba19bb84e561a27fcb6ffb3
SHA256:	4a524e63c81e6cf9ab8a86f8de0973ea6a6d0973545867d34eba1b777e238628
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Detected unpacking (overwrites its own PE header)

Yara detected AntiVM3

Detected unpacking (changes PE section rights)

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Tries to harvest and steal Bitcoin Wallet information

Deletes itself after installation

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

One or more processes crash

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Is looking for software installed on the system

Queries information about the installed CPU (vendor, model number etc)

AV process strings found (often used to terminate AV products)

Contains functionality to read the PEB

Detected TCP or UDP traffic on non-standard ports

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: 09212399.exe

Virustotal: Detection: 40%

Perma Link

Machine Learning detection for sample

Source: 09212399.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\09212399.exe

Unpacked PE file: 0.2.09212399.exe.400000.0.unpack

Uses 32bit PE files

Source: 09212399.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\09212399.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: C:\yufub\meliciz\bodowuh larilu.pdb source: 09212399.exe
Source:	Binary string: ,C:\yufub\meliciz\bodowuh larilu.pdb source: 09212399.exe

Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0	Jump to behavior

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.3:49699 -> 179.43.162.23:8509

Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23

Source: 09212399.exe, 00000000.00000002.381262694.00000000000A1000.00000004.00000010.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.368127426.0000000002635000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://179.43.162.23:8509/c29db42cd4cdbbd4077/favicon.png
Source: 09212399.exe, 00000000.00000002.381262694.00000000000A1000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://179.43.162.23:8509/c29db42cd4cdbbd4077/favicon.pngH
Source: 09212399.exe, 00000000.00000003.368127426.0000000002635000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://179.43.162.23:8509/c29db42cd4cdbbd4077/favicon.pngkernelbasentdllkernel32GetProcessMitigatio
Source: certreq.exe, 00000001.00000003.426281539.0000018823E92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com
Source: certreq.exe, 00000001.00000003.426281539.0000018823E92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com
Source: certreq.exe, 00000001.00000003.450923361.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.444650267.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.423142442.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.443304465.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.445666271.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.424137500.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.443537430.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.428558621.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.420232422.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.443833228.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.424761572.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.423901851.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.423640005.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.441677024.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.438459075.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.415743888.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.424370962.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.415743888.0000018823DB1000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.419657256.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.444175695.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.426281539.0000018823E92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://http:///etc/puk.keyGET13ConnectionupgradeUpgradewebsocketUser-AgentAccept-Encodinggzip
Source: certreq.exe, 00000001.00000003.413436249.0000018823DBA000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.415230877.0000018823DBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://http:///etc/puk.keyMachineGuid

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Uses 32bit PE files

Source: 09212399.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

One or more processes crash

Source: C:\Users\user\Desktop\09212399.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 880

Detected potential crypto function

Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_3_02716E4B	0_3_02716E4B
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_00416214	0_2_00416214
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_004182F4	0_2_004182F4
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_023E707B	0_2_023E707B
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_023E915B	0_2_023E915B
Source: C:\Windows\System32\certreq.exe	Code function: 1_3_00000188240D4A10	1_3_00000188240D4A10
Source: C:\Windows\System32\certreq.exe	Code function: 1_3_00000188240D2792	1_3_00000188240D2792
Source: C:\Windows\System32\certreq.exe	Code function: 1_3_00000188240D1B9C	1_3_00000188240D1B9C
Source: C:\Windows\System32\certreq.exe	Code function: 1_3_00000188240D2C32	1_3_00000188240D2C32
Source: C:\Windows\System32\certreq.exe	Code function: 1_3_00000188240D5E54	1_3_00000188240D5E54
Source: C:\Windows\System32\certreq.exe	Code function: 1_3_00000188240D5554	1_3_00000188240D5554
Source: C:\Windows\System32\certreq.exe	Code function: 1_3_00000188240D58D4	1_3_00000188240D58D4
Source: C:\Windows\System32\certreq.exe	Code function: 1_3_00000188240D24ED	1_3_00000188240D24ED

Contains functionality to call native functions

Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_0040203B NtProtectVirtualMemory,	0_2_0040203B
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_004018FB GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,ReleaseDC,NtQuerySystemInformation,HeapAlloc,RtlAllocateHeap,NtQuerySystemInformation,HeapAlloc,WideCharToMultiByte,_strlen,OutputDebugStringW,HeapFree,_rand,_rand,HeapAlloc,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,CreateFileW,ReadFile,CloseHandle,HeapFree,	0_2_004018FB
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_0040250D HeapCreate,VirtualQuery,GetModuleHandleW,OutputDebugStringA,HeapAlloc,GetModuleHandleA,HeapAlloc,HeapAlloc,WaitForSingleObject,HeapFree,RtlFreeHeap,HeapDestroy,NtProtectVirtualMemory,VirtualFree,GetProcessHeap,HeapFree,	0_2_0040250D
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_0040159B GetCurrentProcess,VirtualAllocExNuma,NtAllocateVirtualMemory,HeapAlloc,InterlockedIncrement,InterlockedIncrement,HeapAlloc,InterlockedIncrement,HeapFree,HeapFree,HeapFree,GetProcessHeap,HeapAlloc,	0_2_0040159B
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_023D3374 HeapCreate,VirtualQuery,GetModuleHandleW,OutputDebugStringA,WaitForSingleObject,HeapFree,HeapFree,HeapDestroy,NtContinue,NtContinue,NtContinue,GetProcessHeap,HeapFree,	0_2_023D3374
Source: C:\Windows\System32\certreq.exe	Code function: 1_3_00000188240D30A7 RtlAllocateHeap,RtlAllocateHeap,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,RtlDeleteBoundaryDescriptor,RtlDeleteBoundaryDescriptor,	1_3_00000188240D30A7

Source: 09212399.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 09212399.exe

Virustotal: Detection: 40%

Source: 09212399.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\09212399.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\09212399.exe C:\Users\user\Desktop\09212399.exe
Source: C:\Users\user\Desktop\09212399.exe	Process created: C:\Windows\System32\certreq.exe C:\Windows\system32\certreq.exe
Source: C:\Windows\System32\certreq.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\09212399.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 880
Source: C:\Users\user\Desktop\09212399.exe	Process created: C:\Windows\System32\certreq.exe C:\Windows\system32\certreq.exe	Jump to behavior

Source: C:\Users\user\Desktop\09212399.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\09212399.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\09212399.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: classification engine

Classification label: mal100.spyw.evad.winEXE@5/0@0/1

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7064:120:WilError_01
Source: C:\Users\user\Desktop\09212399.exe	Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4fb3f26-9d18-66b568-627b8a85e4b6}

Source: 09212399.exe	String found in binary or memory: {d764e42e-add5-9d16-74e7-6164935016d1}
Source: 09212399.exe	String found in binary or memory: {a722ed69-f75e-adda-c282-357b7a5881c0}
Source: 09212399.exe	String found in binary or memory: {2a53b0ee-add5-8019-6f4d-b504148f277d}
Source: 09212399.exe	String found in binary or memory: {fd1f761c-addd-f638-ccfc-dc2ddad2eb2e}
Source: 09212399.exe	String found in binary or memory: {93c09873-6c92-83d1-add1-d1cf6ce0db24}
Source: 09212399.exe	String found in binary or memory: {67db7274-addc-33aa-369d-f51ff4fbdf01}
Source: 09212399.exe	String found in binary or memory: {652d3a0a-0179-af7e-c9e4-add04bde0b9b}
Source: 09212399.exe	String found in binary or memory: {04e8de6c-add6-baab-c21e-7d664f7ae35c}
Source: 09212399.exe	String found in binary or memory: {e530ebc8-addd-aec2-555f-9c575215134d}
Source: 09212399.exe	String found in binary or memory: {64f34c59-9151-4877-321d-add8d2d439f6}

Source: C:\Windows\System32\certreq.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\7.0\Outlook\Profiles\Outlook

Jump to behavior

Source: C:\Users\user\Desktop\09212399.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: 09212399.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 09212399.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 09212399.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 09212399.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 09212399.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 09212399.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 09212399.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\yufub\meliciz\bodowuh larilu.pdb source: 09212399.exe
Source:	Binary string: ,C:\yufub\meliciz\bodowuh larilu.pdb source: 09212399.exe

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\09212399.exe

Unpacked PE file: 0.2.09212399.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\09212399.exe

Unpacked PE file: 0.2.09212399.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_3_0271434F push esp; retf	0_3_0271459C
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_3_02717F4F push ecx; retf	0_3_02717FB0
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_3_02710FF2 push edx; iretd	0_3_0271109E
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_3_02714DED pushad ; retf	0_3_02714DF7
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_3_027106EC push edi; retf	0_3_027106ED
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_3_027149B2 push es; iretd	0_3_027149B3
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_3_02714D8D push es; retf	0_3_02714D8E
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_00416203 push ecx; ret	0_2_00416213
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_00416320 push eax; ret	0_2_00416334
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_00416320 push eax; ret	0_2_0041635C
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_023E706A push ecx; ret	0_2_023E707A
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_023E7187 push eax; ret	0_2_023E719B
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_023E7187 push eax; ret	0_2_023E71C3

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\09212399.exe

Code function: 0_2_004179F7 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_004179F7

Source: initial sample

Static PE information: section name: .text entropy: 7.890261806957562

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\System32\certreq.exe

File deleted: c:\users\user\desktop\09212399.exe

Jump to behavior

Source: C:\Users\user\Desktop\09212399.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\09212399.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\certreq.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\certreq.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000003.364029125.0000000002632000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 09212399.exe PID: 4968, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HOOKEXPLORER.EXE
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AUTORUNSC.EXE
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE
Source: 09212399.exe, 00000000.00000003.364029125.0000000002632000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WQLRANDOMRANDOM NAME%THISISANINVALIDFILENAME?[]<>@\;!-{}#:/~%%THISISANINVALIDENVIRONMENTVARIABLENAME?[]<>@\;!-{}#:/~%CMDVRT32.DLLCMDVRT64.DLLWPESPY.DLLVMCHECK.DLLPSTOREC.DLLDIR_WATCH.DLLAPI_LOG.DLLDBGHELP.DLLSBIEDLL.DLLSNXHK.DLLAVGHOOKA.DLLAVGHOOKX.DLLTESTAPP.EXEMYAPP.EXEKLAVME.EXETEST.EXEMALWARE.EXESANDBOX.EXEBOT.EXESAMPLE.EXEJOHN DOEVIRUSTEST USERMALTESTMALWARESAND BOXUSERTIMMYPETER WILSONMILOZSMILLERJOHNSONIT-ADMINHONG LEEHAPUBWSEMILYSANDBOXCURRENTUSERTEQUILABOOMBOOMFORTINETWIN7-TRAPSMUELLER-PCJOHN-PCHANSPETER-PCHAL9TH7SILVIAXPAMAST-SCSANDBOXWILBERT-SCCWSXXXXX-OXNMSDBOXCUCKOOCOMPUTERNAMEANDYANONYMOUSUSERC:\A\FOOBAR.GIFC:\A\FOOBAR.DOCC:\A\FOOBAR.BMPC:\123\EMAIL.DOCXC:\123\EMAIL.DOCC:\EMAIL.HTMC:\EMAIL.DOCC:\LOADDLL.EXEC:\TAKE_SCREENSHOT.PS1JOHNKLONE_X64-PCSYSTEMITADMINSWSCWILBERNUMBEROFCORESSELECT * FROM WIN32_PROCESSORROOT\CIMV2VIRTUALQEMUVMWAREVBOXVBOXVBOXVBOXPARALLELS HVPRL HYPERV XENVMMXENVMMVMWAREVMWAREMICROSOFT HVKVMKVMKVMA M IVIRTUALXEN0PARALLELSVMWARESERIALNUMBERSELECT * FROM WIN32_BIOSHVM DOMUVIRTUALBOXMODELSELECT * FROM WIN32_COMPUTERSYSTEMQEMUINNOTEK GMBHMANUFACTURERPROCESSORIDVMWXENVIRTIOSYSTEM\CURRENTCONTROLSET\ENUM\SCSISYSTEM\CURRENTCONTROLSET\ENUM\IDESELECT * FROM CIM_PHYSICALCONNECTOR06/23/99SYSTEMBIOSDATEVIRTUALBOXVIDEOBIOSVERSIONSYSTEMBIOSVERSIONIDENTIFIERHARDWARE\DEVICEMAP\SCSI\SCSI PORT 0\SCSI BUS 0\TARGET ID 0\LOGICAL UNIT ID 0HARDWARE\DESCRIPTION\SYSTEMVBOXSYSTEM\CONTROLSET001\SERVICES\VBOXVIDEOSYSTEM\CONTROLSET001\SERVICES\VBOXSFSYSTEM\CONTROLSET001\SERVICES\VBOXSERVICESYSTEM\CONTROLSET001\SERVICES\VBOXMOUSESYSTEM\CONTROLSET001\SERVICES\VBOXGUESTSOFTWARE\ORACLE\VIRTUALBOX GUEST ADDITIONSHARDWARE\ACPI\RSDT\VBOX__HARDWARE\ACPI\FADT\VBOX__HARDWARE\ACPI\DSDT\VBOX__SYSTEM32\VBOXCONTROL.EXESYSTEM32\VBOXTRAY.EXESYSTEM32\VBOXSERVICE.EXESYSTEM32\VBOXOGLPASSTHROUGHSPU.DLLSYSTEM32\VBOXOGLPACKSPU.DLLSYSTEM32\VBOXOGLFEEDBACKSPU.DLLSYSTEM32\VBOXOGLERRORSPU.DLLSYSTEM32\VBOXOGLCRUTIL.DLLSYSTEM32\VBOXOGLARRAYSPU.DLLSYSTEM32\VBOXOGL.DLLSYSTEM32\VBOXMRXNP.DLLSYSTEM32\VBOXHOOK.DLLSYSTEM32\VBOXDISP.DLLSYSTEM32\DRIVERS\VBOXVIDEO.SYSSYSTEM32\DRIVERS\VBOXSF.SYSSYSTEM32\DRIVERS\VBOXGUEST.SYSSYSTEM32\DRIVERS\VBOXMOUSE.SYS%PROGRAMW6432%\\.\PIPE\VBOXTRAYIPC\\.\VBOXTRAYIPC\\.\PIPE\VBOXMINIRDDN\\.\VBOXGUEST\\.\VBOXMINIRDRDNVBOXTRAYTOOLWNDVBOXTRAYTOOLWNDCLASSVIRTUALBOX SHARED FOLDERSVBOXTRAY.EXEVBOXSERVICE.EXEPCI\VEN_80EE&DEV_CAFEDEVICEIDSELECT * FROM WIN32_PNPENTITYOPENHCD82371SB82441FX82801FBNAMEVEN_VBOXPNPDEVICEIDCAPTIONSELECT * FROM WIN32_PNPDEVICEPNP_BUS_0PCI_BUS_0ACPIBUS_BUS_0SELECT * FROM WIN32_BUSORACLE CORPORATIONPRODUCTSELECT * FROM WIN32_BASEBOARDSOURCESSYSTEMFILENAMESELECT * FROM WIN32_NTEVENTLOGFILEVBOXWDDMVBOXVIDEOW8VBOXVIDEOVBOXVBOXVIRTUALBOXSYSTEMPRODUCTNAMESYSTEMMANUFACTURERHARDWARE\DEVICEMAP\SCSI\SCSI PORT 2\SCSI BUS 0\TARGET ID 0\LOGICAL UNIT ID 0HARDWARE\DEVICEMAP\SCSI\SCSI PORT 1\SCSI BUS 0\TARGET ID 0\LOGICAL UNIT ID 0SYSTEM\CONTROLSET001\CONTROL\SYSTEMINFORMATIONVMWARESOFTWARE\VMWARE, INC.\VMWARE TOOLSVMACTHLP.EXEVGAUTHSERVICE
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGMON.EXE
Source: 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCEXP.EXEPROCEXP64.EXETCPVIEW.EXETCPVIEW64.EXEPROCMON.EXEPROCMON64.EXEVMMAP.EXEVMMAP64.EXEPORTMON.EXEPROCESSLASSO.EXEWIRESHARK.EXEFIDDLER EVERYWHERE.EXEFIDDLER.EXEIDA.EXEIDA64.EXEIMMUNITYDEBUGGER.EXEWINDUMP.EXEX64DBG.EXEX32DBG.EXEOLLYDBG.EXEPROCESSHACKER.EXEIDAQ64.EXEAUTORUNS.EXEDUMPCAP.EXEDE4DOT.EXEHOOKEXPLORER.EXEILSPY.EXELORDPE.EXEDNSPY.EXEPETOOLS.EXEAUTORUNSC.EXERESOURCEHACKER.EXEFILEMON.EXEREGMON.EXEWINDANR.EXE
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AUTORUNS.EXE
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PETOOLS.EXE
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDUMP.EXE
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXE
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDANR.EXE
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FILEMON.EXE

Is looking for software installed on the system

Source: C:\Windows\System32\certreq.exe

Registry key enumerated: More than 173 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\09212399.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\09212399.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\09212399.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\09212399.exe

Code function: 0_2_0041A38E VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,

0_2_0041A38E

Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0	Jump to behavior

Source: 09212399.exe, 00000000.00000003.364029125.0000000002632000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware
Source: 09212399.exe, 00000000.00000003.364029125.0000000002632000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WQLrandomRandom name%ThisIsAnInvalidFileName?[]<>@\;!-{}#:/~%%ThisIsAnInvalidEnvironmentVariableName?[]<>@\;!-{}#:/~%cmdvrt32.dllcmdvrt64.dllwpespy.dllvmcheck.dllpstorec.dlldir_watch.dllapi_log.dlldbghelp.dllsbiedll.dllsnxhk.dllavghooka.dllavghookx.dlltestapp.exemyapp.exeklavme.exetest.exemalware.exesandbox.exebot.exesample.exeJohn Doevirustest usermaltestmalwaresand boxusertimmyPeter WilsonmilozsMillerJohnsonIT-ADMINHong LeeHAPUBWSEmilySandboxCurrentUserTEQUILABOOMBOOMFORTINETWIN7-TRAPSMUELLER-PCJOHN-PCHANSPETER-PCHAL9TH7SILVIAXPAMAST-SCSANDBOXWILBERT-SCCWSXXXXX-OXNMSDBOXCUCKOOCOMPUTERNAMEANDYAnonymousUSERC:\a\foobar.gifC:\a\foobar.docC:\a\foobar.bmpC:\123\email.docxC:\123\email.docC:\email.htmC:\email.docC:\loaddll.exeC:\take_screenshot.ps1JohnKLONE_X64-PCSystemITadminSWSCWilberNumberOfCoresSELECT * FROM Win32_ProcessorROOT\CIMV2virtualqemuvmwarevboxVBoxVBoxVBoxParallels Hvprl hyperv XenVMMXenVMMVMwareVMwareMicrosoft HvKVMKVMKVMA M IVirtualXen0ParallelsVMWareSerialNumberSELECT * FROM Win32_BIOSHVM domUVirtualBoxModelSELECT * FROM Win32_ComputerSystemQEMUinnotek GmbHManufacturerProcessorIdVMWxenvirtioSystem\CurrentControlSet\Enum\SCSISystem\CurrentControlSet\Enum\IDESELECT * FROM CIM_PhysicalConnector06/23/99SystemBiosDateVIRTUALBOXVideoBiosVersionSystemBiosVersionIdentifierHARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0HARDWARE\Description\SystemVBOXSYSTEM\ControlSet001\Services\VBoxVideoSYSTEM\ControlSet001\Services\VBoxSFSYSTEM\ControlSet001\Services\VBoxServiceSYSTEM\ControlSet001\Services\VBoxMouseSYSTEM\ControlSet001\Services\VBoxGuestSOFTWARE\Oracle\VirtualBox Guest AdditionsHARDWARE\ACPI\RSDT\VBOX__HARDWARE\ACPI\FADT\VBOX__HARDWARE\ACPI\DSDT\VBOX__System32\VBoxControl.exeSystem32\vboxtray.exeSystem32\vboxservice.exeSystem32\vboxoglpassthroughspu.dllSystem32\vboxoglpackspu.dllSystem32\vboxoglfeedbackspu.dllSystem32\vboxoglerrorspu.dllSystem32\vboxoglcrutil.dllSystem32\vboxoglarrayspu.dllSystem32\vboxogl.dllSystem32\vboxmrxnp.dllSystem32\vboxhook.dllSystem32\vboxdisp.dllSystem32\drivers\VBoxVideo.sysSystem32\drivers\VBoxSF.sysSystem32\drivers\VBoxGuest.sysSystem32\drivers\VBoxMouse.sys%ProgramW6432%\\.\pipe\VBoxTrayIPC\\.\VBoxTrayIPC\\.\pipe\VBoxMiniRdDN\\.\VBoxGuest\\.\VBoxMiniRdrDNVBoxTrayToolWndVBoxTrayToolWndClassVirtualBox Shared Foldersvboxtray.exevboxservice.exePCI\VEN_80EE&DEV_CAFEDeviceIdSELECT * FROM Win32_PnPEntityOpenHCD82371SB82441FX82801FBNameVEN_VBOXPNPDeviceIDCaptionSELECT * FROM Win32_PnPDevicePNP_BUS_0PCI_BUS_0ACPIBus_BUS_0SELECT * FROM Win32_BusOracle CorporationProductSELECT * FROM Win32_BaseBoardSourcesSystemFileNameSELECT * FROM Win32_NTEventlogFileVBoxWddmVBoxVideoW8vboxvideoVBOXvboxVirtualBoxSystemProductNameSystemManufacturerHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0SYSTEM\ControlSet001\Control\SystemInformationVMWARESOFTWARE\VMware, Inc.\VMware Toolsvmacthlp.exeVGAuthService
Source: 09212399.exe, 00000000.00000003.380059413.00000000007F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWle
Source: 09212399.exe, 00000000.00000003.364029125.0000000002632000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: 09212399.exe, 00000000.00000003.380059413.00000000007F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 09212399.exe, 00000000.00000003.364029125.0000000002632000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMWARE

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\09212399.exe

Code function: 0_2_004179F7 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_004179F7

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\09212399.exe

Code function: 0_2_0040250D HeapCreate,VirtualQuery,GetModuleHandleW,OutputDebugStringA,HeapAlloc,GetModuleHandleA,HeapAlloc,HeapAlloc,WaitForSingleObject,HeapFree,RtlFreeHeap,HeapDestroy,NtProtectVirtualMemory,VirtualFree,GetProcessHeap,HeapFree,

0_2_0040250D

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_023D092B mov eax, dword ptr fs:[00000030h]		0_2_023D092B
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_023D0D90 mov eax, dword ptr fs:[00000030h]		0_2_023D0D90

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\09212399.exe

Process created: C:\Windows\System32\certreq.exe C:\Windows\system32\certreq.exe

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\certreq.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\09212399.exe	Code function: GetLocaleInfoA,		0_2_0041A4F9
Source: C:\Users\user\Desktop\09212399.exe	Code function: GetLocaleInfoA,		0_2_023EB360

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Windows\System32\certreq.exe

Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Jump to behavior

Source: C:\Windows\System32\certreq.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\09212399.exe

Code function: 0_2_00419F6D GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00419F6D

Source: C:\Users\user\Desktop\09212399.exe

Code function: 0_2_00414BB6 EntryPoint,GetVersionExA,GetModuleHandleA,GetModuleHandleA,_fast_error_exit,_fast_error_exit,GetCommandLineA,GetStartupInfoA,__wincmdln,GetModuleHandleA,

0_2_00414BB6

AV process strings found (often used to terminate AV products)

Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OllyDbg.exe
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tcpview.exe
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Wireshark.exe
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lordpe.exe
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: procexp.exe
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Procmon.exe
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: autoruns.exe
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: regmon.exe

Stealing of Sensitive Information

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\System32\certreq.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\System32\certreq.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Security

Jump to behavior

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\System32\certreq.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Bitcoin\Bitcoin-Qt			Jump to behavior
Source: C:\Windows\System32\certreq.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\GPUCache	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Maskable	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Maskable	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\c22ad13a-a322-4fd2-af93-38f6ee0e683c	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Platform Notifications	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\wasm	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Maskable	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Cache	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Maskable	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Monochrome	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Monochrome	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Monochrome	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_apdfllckaahabafndbhieahigkjlhalf	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\js	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Monochrome	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Safe Browsing Network	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Local Storage	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_nmmhkkegccagdldgiimedpiccmgmieda	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Monochrome	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Maskable	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Maskable	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Platform Notifications	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\JumpListIconsRecentClosed	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\js\index-dir	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Monochrome	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Session Storage	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_pjkljhegncpnkpknbcohdijeoejaedia	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
179.43.162.23	unknown	Panama		51852	PLI-ASCH	false

AV Detection

Multi AV Scanner detection for submitted file

Source: 09212399.exe

Virustotal: Detection: 40%

Perma Link

Machine Learning detection for sample

Source: 09212399.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\09212399.exe

Unpacked PE file: 0.2.09212399.exe.400000.0.unpack

Uses 32bit PE files

Source: 09212399.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\09212399.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: C:\yufub\meliciz\bodowuh larilu.pdb source: 09212399.exe
Source:	Binary string: ,C:\yufub\meliciz\bodowuh larilu.pdb source: 09212399.exe

Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0	Jump to behavior

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.3:49699 -> 179.43.162.23:8509

Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23

Source: 09212399.exe, 00000000.00000002.381262694.00000000000A1000.00000004.00000010.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.368127426.0000000002635000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://179.43.162.23:8509/c29db42cd4cdbbd4077/favicon.png
Source: 09212399.exe, 00000000.00000002.381262694.00000000000A1000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://179.43.162.23:8509/c29db42cd4cdbbd4077/favicon.pngH
Source: 09212399.exe, 00000000.00000003.368127426.0000000002635000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://179.43.162.23:8509/c29db42cd4cdbbd4077/favicon.pngkernelbasentdllkernel32GetProcessMitigatio
Source: certreq.exe, 00000001.00000003.426281539.0000018823E92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com
Source: certreq.exe, 00000001.00000003.426281539.0000018823E92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com
Source: certreq.exe, 00000001.00000003.450923361.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.444650267.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.423142442.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.443304465.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.445666271.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.424137500.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.443537430.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.428558621.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.420232422.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.443833228.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.424761572.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.423901851.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.423640005.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.441677024.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.438459075.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.415743888.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.424370962.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.415743888.0000018823DB1000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.419657256.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.444175695.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.426281539.0000018823E92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://http:///etc/puk.keyGET13ConnectionupgradeUpgradewebsocketUser-AgentAccept-Encodinggzip
Source: certreq.exe, 00000001.00000003.413436249.0000018823DBA000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.415230877.0000018823DBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://http:///etc/puk.keyMachineGuid

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Uses 32bit PE files

Source: 09212399.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

One or more processes crash

Source: C:\Users\user\Desktop\09212399.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 880

Detected potential crypto function

Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_3_02716E4B	0_3_02716E4B
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_00416214	0_2_00416214
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_004182F4	0_2_004182F4
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_023E707B	0_2_023E707B
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_023E915B	0_2_023E915B
Source: C:\Windows\System32\certreq.exe	Code function: 1_3_00000188240D4A10	1_3_00000188240D4A10
Source: C:\Windows\System32\certreq.exe	Code function: 1_3_00000188240D2792	1_3_00000188240D2792
Source: C:\Windows\System32\certreq.exe	Code function: 1_3_00000188240D1B9C	1_3_00000188240D1B9C
Source: C:\Windows\System32\certreq.exe	Code function: 1_3_00000188240D2C32	1_3_00000188240D2C32
Source: C:\Windows\System32\certreq.exe	Code function: 1_3_00000188240D5E54	1_3_00000188240D5E54
Source: C:\Windows\System32\certreq.exe	Code function: 1_3_00000188240D5554	1_3_00000188240D5554
Source: C:\Windows\System32\certreq.exe	Code function: 1_3_00000188240D58D4	1_3_00000188240D58D4
Source: C:\Windows\System32\certreq.exe	Code function: 1_3_00000188240D24ED	1_3_00000188240D24ED

Contains functionality to call native functions

Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_0040203B NtProtectVirtualMemory,	0_2_0040203B
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_004018FB GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,ReleaseDC,NtQuerySystemInformation,HeapAlloc,RtlAllocateHeap,NtQuerySystemInformation,HeapAlloc,WideCharToMultiByte,_strlen,OutputDebugStringW,HeapFree,_rand,_rand,HeapAlloc,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,CreateFileW,ReadFile,CloseHandle,HeapFree,	0_2_004018FB
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_0040250D HeapCreate,VirtualQuery,GetModuleHandleW,OutputDebugStringA,HeapAlloc,GetModuleHandleA,HeapAlloc,HeapAlloc,WaitForSingleObject,HeapFree,RtlFreeHeap,HeapDestroy,NtProtectVirtualMemory,VirtualFree,GetProcessHeap,HeapFree,	0_2_0040250D
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_0040159B GetCurrentProcess,VirtualAllocExNuma,NtAllocateVirtualMemory,HeapAlloc,InterlockedIncrement,InterlockedIncrement,HeapAlloc,InterlockedIncrement,HeapFree,HeapFree,HeapFree,GetProcessHeap,HeapAlloc,	0_2_0040159B
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_023D3374 HeapCreate,VirtualQuery,GetModuleHandleW,OutputDebugStringA,WaitForSingleObject,HeapFree,HeapFree,HeapDestroy,NtContinue,NtContinue,NtContinue,GetProcessHeap,HeapFree,	0_2_023D3374
Source: C:\Windows\System32\certreq.exe	Code function: 1_3_00000188240D30A7 RtlAllocateHeap,RtlAllocateHeap,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,RtlDeleteBoundaryDescriptor,RtlDeleteBoundaryDescriptor,	1_3_00000188240D30A7

Source: 09212399.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 09212399.exe

Virustotal: Detection: 40%

Source: 09212399.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\09212399.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\09212399.exe C:\Users\user\Desktop\09212399.exe
Source: C:\Users\user\Desktop\09212399.exe	Process created: C:\Windows\System32\certreq.exe C:\Windows\system32\certreq.exe
Source: C:\Windows\System32\certreq.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\09212399.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 880
Source: C:\Users\user\Desktop\09212399.exe	Process created: C:\Windows\System32\certreq.exe C:\Windows\system32\certreq.exe	Jump to behavior

Source: C:\Users\user\Desktop\09212399.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\09212399.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\09212399.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: classification engine

Classification label: mal100.spyw.evad.winEXE@5/0@0/1

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7064:120:WilError_01
Source: C:\Users\user\Desktop\09212399.exe	Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4fb3f26-9d18-66b568-627b8a85e4b6}

Source: 09212399.exe	String found in binary or memory: {d764e42e-add5-9d16-74e7-6164935016d1}
Source: 09212399.exe	String found in binary or memory: {a722ed69-f75e-adda-c282-357b7a5881c0}
Source: 09212399.exe	String found in binary or memory: {2a53b0ee-add5-8019-6f4d-b504148f277d}
Source: 09212399.exe	String found in binary or memory: {fd1f761c-addd-f638-ccfc-dc2ddad2eb2e}
Source: 09212399.exe	String found in binary or memory: {93c09873-6c92-83d1-add1-d1cf6ce0db24}
Source: 09212399.exe	String found in binary or memory: {67db7274-addc-33aa-369d-f51ff4fbdf01}
Source: 09212399.exe	String found in binary or memory: {652d3a0a-0179-af7e-c9e4-add04bde0b9b}
Source: 09212399.exe	String found in binary or memory: {04e8de6c-add6-baab-c21e-7d664f7ae35c}
Source: 09212399.exe	String found in binary or memory: {e530ebc8-addd-aec2-555f-9c575215134d}
Source: 09212399.exe	String found in binary or memory: {64f34c59-9151-4877-321d-add8d2d439f6}

Source: C:\Windows\System32\certreq.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\7.0\Outlook\Profiles\Outlook

Jump to behavior

Source: C:\Users\user\Desktop\09212399.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: 09212399.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 09212399.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 09212399.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 09212399.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 09212399.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 09212399.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 09212399.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\yufub\meliciz\bodowuh larilu.pdb source: 09212399.exe
Source:	Binary string: ,C:\yufub\meliciz\bodowuh larilu.pdb source: 09212399.exe

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\09212399.exe

Unpacked PE file: 0.2.09212399.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\09212399.exe

Unpacked PE file: 0.2.09212399.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_3_0271434F push esp; retf	0_3_0271459C
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_3_02717F4F push ecx; retf	0_3_02717FB0
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_3_02710FF2 push edx; iretd	0_3_0271109E
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_3_02714DED pushad ; retf	0_3_02714DF7
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_3_027106EC push edi; retf	0_3_027106ED
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_3_027149B2 push es; iretd	0_3_027149B3
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_3_02714D8D push es; retf	0_3_02714D8E
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_00416203 push ecx; ret	0_2_00416213
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_00416320 push eax; ret	0_2_00416334
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_00416320 push eax; ret	0_2_0041635C
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_023E706A push ecx; ret	0_2_023E707A
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_023E7187 push eax; ret	0_2_023E719B
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_023E7187 push eax; ret	0_2_023E71C3

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\09212399.exe

Code function: 0_2_004179F7 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_004179F7

Source: initial sample

Static PE information: section name: .text entropy: 7.890261806957562

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\System32\certreq.exe

File deleted: c:\users\user\desktop\09212399.exe

Jump to behavior

Source: C:\Users\user\Desktop\09212399.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\09212399.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\certreq.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\certreq.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000003.364029125.0000000002632000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 09212399.exe PID: 4968, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HOOKEXPLORER.EXE
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AUTORUNSC.EXE
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE
Source: 09212399.exe, 00000000.00000003.364029125.0000000002632000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WQLRANDOMRANDOM NAME%THISISANINVALIDFILENAME?[]<>@\;!-{}#:/~%%THISISANINVALIDENVIRONMENTVARIABLENAME?[]<>@\;!-{}#:/~%CMDVRT32.DLLCMDVRT64.DLLWPESPY.DLLVMCHECK.DLLPSTOREC.DLLDIR_WATCH.DLLAPI_LOG.DLLDBGHELP.DLLSBIEDLL.DLLSNXHK.DLLAVGHOOKA.DLLAVGHOOKX.DLLTESTAPP.EXEMYAPP.EXEKLAVME.EXETEST.EXEMALWARE.EXESANDBOX.EXEBOT.EXESAMPLE.EXEJOHN DOEVIRUSTEST USERMALTESTMALWARESAND BOXUSERTIMMYPETER WILSONMILOZSMILLERJOHNSONIT-ADMINHONG LEEHAPUBWSEMILYSANDBOXCURRENTUSERTEQUILABOOMBOOMFORTINETWIN7-TRAPSMUELLER-PCJOHN-PCHANSPETER-PCHAL9TH7SILVIAXPAMAST-SCSANDBOXWILBERT-SCCWSXXXXX-OXNMSDBOXCUCKOOCOMPUTERNAMEANDYANONYMOUSUSERC:\A\FOOBAR.GIFC:\A\FOOBAR.DOCC:\A\FOOBAR.BMPC:\123\EMAIL.DOCXC:\123\EMAIL.DOCC:\EMAIL.HTMC:\EMAIL.DOCC:\LOADDLL.EXEC:\TAKE_SCREENSHOT.PS1JOHNKLONE_X64-PCSYSTEMITADMINSWSCWILBERNUMBEROFCORESSELECT * FROM WIN32_PROCESSORROOT\CIMV2VIRTUALQEMUVMWAREVBOXVBOXVBOXVBOXPARALLELS HVPRL HYPERV XENVMMXENVMMVMWAREVMWAREMICROSOFT HVKVMKVMKVMA M IVIRTUALXEN0PARALLELSVMWARESERIALNUMBERSELECT * FROM WIN32_BIOSHVM DOMUVIRTUALBOXMODELSELECT * FROM WIN32_COMPUTERSYSTEMQEMUINNOTEK GMBHMANUFACTURERPROCESSORIDVMWXENVIRTIOSYSTEM\CURRENTCONTROLSET\ENUM\SCSISYSTEM\CURRENTCONTROLSET\ENUM\IDESELECT * FROM CIM_PHYSICALCONNECTOR06/23/99SYSTEMBIOSDATEVIRTUALBOXVIDEOBIOSVERSIONSYSTEMBIOSVERSIONIDENTIFIERHARDWARE\DEVICEMAP\SCSI\SCSI PORT 0\SCSI BUS 0\TARGET ID 0\LOGICAL UNIT ID 0HARDWARE\DESCRIPTION\SYSTEMVBOXSYSTEM\CONTROLSET001\SERVICES\VBOXVIDEOSYSTEM\CONTROLSET001\SERVICES\VBOXSFSYSTEM\CONTROLSET001\SERVICES\VBOXSERVICESYSTEM\CONTROLSET001\SERVICES\VBOXMOUSESYSTEM\CONTROLSET001\SERVICES\VBOXGUESTSOFTWARE\ORACLE\VIRTUALBOX GUEST ADDITIONSHARDWARE\ACPI\RSDT\VBOX__HARDWARE\ACPI\FADT\VBOX__HARDWARE\ACPI\DSDT\VBOX__SYSTEM32\VBOXCONTROL.EXESYSTEM32\VBOXTRAY.EXESYSTEM32\VBOXSERVICE.EXESYSTEM32\VBOXOGLPASSTHROUGHSPU.DLLSYSTEM32\VBOXOGLPACKSPU.DLLSYSTEM32\VBOXOGLFEEDBACKSPU.DLLSYSTEM32\VBOXOGLERRORSPU.DLLSYSTEM32\VBOXOGLCRUTIL.DLLSYSTEM32\VBOXOGLARRAYSPU.DLLSYSTEM32\VBOXOGL.DLLSYSTEM32\VBOXMRXNP.DLLSYSTEM32\VBOXHOOK.DLLSYSTEM32\VBOXDISP.DLLSYSTEM32\DRIVERS\VBOXVIDEO.SYSSYSTEM32\DRIVERS\VBOXSF.SYSSYSTEM32\DRIVERS\VBOXGUEST.SYSSYSTEM32\DRIVERS\VBOXMOUSE.SYS%PROGRAMW6432%\\.\PIPE\VBOXTRAYIPC\\.\VBOXTRAYIPC\\.\PIPE\VBOXMINIRDDN\\.\VBOXGUEST\\.\VBOXMINIRDRDNVBOXTRAYTOOLWNDVBOXTRAYTOOLWNDCLASSVIRTUALBOX SHARED FOLDERSVBOXTRAY.EXEVBOXSERVICE.EXEPCI\VEN_80EE&DEV_CAFEDEVICEIDSELECT * FROM WIN32_PNPENTITYOPENHCD82371SB82441FX82801FBNAMEVEN_VBOXPNPDEVICEIDCAPTIONSELECT * FROM WIN32_PNPDEVICEPNP_BUS_0PCI_BUS_0ACPIBUS_BUS_0SELECT * FROM WIN32_BUSORACLE CORPORATIONPRODUCTSELECT * FROM WIN32_BASEBOARDSOURCESSYSTEMFILENAMESELECT * FROM WIN32_NTEVENTLOGFILEVBOXWDDMVBOXVIDEOW8VBOXVIDEOVBOXVBOXVIRTUALBOXSYSTEMPRODUCTNAMESYSTEMMANUFACTURERHARDWARE\DEVICEMAP\SCSI\SCSI PORT 2\SCSI BUS 0\TARGET ID 0\LOGICAL UNIT ID 0HARDWARE\DEVICEMAP\SCSI\SCSI PORT 1\SCSI BUS 0\TARGET ID 0\LOGICAL UNIT ID 0SYSTEM\CONTROLSET001\CONTROL\SYSTEMINFORMATIONVMWARESOFTWARE\VMWARE, INC.\VMWARE TOOLSVMACTHLP.EXEVGAUTHSERVICE
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGMON.EXE
Source: 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCEXP.EXEPROCEXP64.EXETCPVIEW.EXETCPVIEW64.EXEPROCMON.EXEPROCMON64.EXEVMMAP.EXEVMMAP64.EXEPORTMON.EXEPROCESSLASSO.EXEWIRESHARK.EXEFIDDLER EVERYWHERE.EXEFIDDLER.EXEIDA.EXEIDA64.EXEIMMUNITYDEBUGGER.EXEWINDUMP.EXEX64DBG.EXEX32DBG.EXEOLLYDBG.EXEPROCESSHACKER.EXEIDAQ64.EXEAUTORUNS.EXEDUMPCAP.EXEDE4DOT.EXEHOOKEXPLORER.EXEILSPY.EXELORDPE.EXEDNSPY.EXEPETOOLS.EXEAUTORUNSC.EXERESOURCEHACKER.EXEFILEMON.EXEREGMON.EXEWINDANR.EXE
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AUTORUNS.EXE
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PETOOLS.EXE
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDUMP.EXE
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXE
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDANR.EXE
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FILEMON.EXE

Is looking for software installed on the system

Source: C:\Windows\System32\certreq.exe

Registry key enumerated: More than 173 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\09212399.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\09212399.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\09212399.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\09212399.exe

Code function: 0_2_0041A38E VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,

0_2_0041A38E

Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0	Jump to behavior

Source: 09212399.exe, 00000000.00000003.364029125.0000000002632000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware
Source: 09212399.exe, 00000000.00000003.364029125.0000000002632000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WQLrandomRandom name%ThisIsAnInvalidFileName?[]<>@\;!-{}#:/~%%ThisIsAnInvalidEnvironmentVariableName?[]<>@\;!-{}#:/~%cmdvrt32.dllcmdvrt64.dllwpespy.dllvmcheck.dllpstorec.dlldir_watch.dllapi_log.dlldbghelp.dllsbiedll.dllsnxhk.dllavghooka.dllavghookx.dlltestapp.exemyapp.exeklavme.exetest.exemalware.exesandbox.exebot.exesample.exeJohn Doevirustest usermaltestmalwaresand boxusertimmyPeter WilsonmilozsMillerJohnsonIT-ADMINHong LeeHAPUBWSEmilySandboxCurrentUserTEQUILABOOMBOOMFORTINETWIN7-TRAPSMUELLER-PCJOHN-PCHANSPETER-PCHAL9TH7SILVIAXPAMAST-SCSANDBOXWILBERT-SCCWSXXXXX-OXNMSDBOXCUCKOOCOMPUTERNAMEANDYAnonymousUSERC:\a\foobar.gifC:\a\foobar.docC:\a\foobar.bmpC:\123\email.docxC:\123\email.docC:\email.htmC:\email.docC:\loaddll.exeC:\take_screenshot.ps1JohnKLONE_X64-PCSystemITadminSWSCWilberNumberOfCoresSELECT * FROM Win32_ProcessorROOT\CIMV2virtualqemuvmwarevboxVBoxVBoxVBoxParallels Hvprl hyperv XenVMMXenVMMVMwareVMwareMicrosoft HvKVMKVMKVMA M IVirtualXen0ParallelsVMWareSerialNumberSELECT * FROM Win32_BIOSHVM domUVirtualBoxModelSELECT * FROM Win32_ComputerSystemQEMUinnotek GmbHManufacturerProcessorIdVMWxenvirtioSystem\CurrentControlSet\Enum\SCSISystem\CurrentControlSet\Enum\IDESELECT * FROM CIM_PhysicalConnector06/23/99SystemBiosDateVIRTUALBOXVideoBiosVersionSystemBiosVersionIdentifierHARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0HARDWARE\Description\SystemVBOXSYSTEM\ControlSet001\Services\VBoxVideoSYSTEM\ControlSet001\Services\VBoxSFSYSTEM\ControlSet001\Services\VBoxServiceSYSTEM\ControlSet001\Services\VBoxMouseSYSTEM\ControlSet001\Services\VBoxGuestSOFTWARE\Oracle\VirtualBox Guest AdditionsHARDWARE\ACPI\RSDT\VBOX__HARDWARE\ACPI\FADT\VBOX__HARDWARE\ACPI\DSDT\VBOX__System32\VBoxControl.exeSystem32\vboxtray.exeSystem32\vboxservice.exeSystem32\vboxoglpassthroughspu.dllSystem32\vboxoglpackspu.dllSystem32\vboxoglfeedbackspu.dllSystem32\vboxoglerrorspu.dllSystem32\vboxoglcrutil.dllSystem32\vboxoglarrayspu.dllSystem32\vboxogl.dllSystem32\vboxmrxnp.dllSystem32\vboxhook.dllSystem32\vboxdisp.dllSystem32\drivers\VBoxVideo.sysSystem32\drivers\VBoxSF.sysSystem32\drivers\VBoxGuest.sysSystem32\drivers\VBoxMouse.sys%ProgramW6432%\\.\pipe\VBoxTrayIPC\\.\VBoxTrayIPC\\.\pipe\VBoxMiniRdDN\\.\VBoxGuest\\.\VBoxMiniRdrDNVBoxTrayToolWndVBoxTrayToolWndClassVirtualBox Shared Foldersvboxtray.exevboxservice.exePCI\VEN_80EE&DEV_CAFEDeviceIdSELECT * FROM Win32_PnPEntityOpenHCD82371SB82441FX82801FBNameVEN_VBOXPNPDeviceIDCaptionSELECT * FROM Win32_PnPDevicePNP_BUS_0PCI_BUS_0ACPIBus_BUS_0SELECT * FROM Win32_BusOracle CorporationProductSELECT * FROM Win32_BaseBoardSourcesSystemFileNameSELECT * FROM Win32_NTEventlogFileVBoxWddmVBoxVideoW8vboxvideoVBOXvboxVirtualBoxSystemProductNameSystemManufacturerHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0SYSTEM\ControlSet001\Control\SystemInformationVMWARESOFTWARE\VMware, Inc.\VMware Toolsvmacthlp.exeVGAuthService
Source: 09212399.exe, 00000000.00000003.380059413.00000000007F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWle
Source: 09212399.exe, 00000000.00000003.364029125.0000000002632000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: 09212399.exe, 00000000.00000003.380059413.00000000007F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 09212399.exe, 00000000.00000003.364029125.0000000002632000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMWARE

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\09212399.exe

Code function: 0_2_004179F7 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_004179F7

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\09212399.exe

0_2_0040250D

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_023D092B mov eax, dword ptr fs:[00000030h]		0_2_023D092B
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_023D0D90 mov eax, dword ptr fs:[00000030h]		0_2_023D0D90

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\09212399.exe

Process created: C:\Windows\System32\certreq.exe C:\Windows\system32\certreq.exe

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\certreq.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\09212399.exe	Code function: GetLocaleInfoA,		0_2_0041A4F9
Source: C:\Users\user\Desktop\09212399.exe	Code function: GetLocaleInfoA,		0_2_023EB360

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Windows\System32\certreq.exe

Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Jump to behavior

Source: C:\Windows\System32\certreq.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\09212399.exe

Code function: 0_2_00419F6D GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00419F6D

Source: C:\Users\user\Desktop\09212399.exe

Code function: 0_2_00414BB6 EntryPoint,GetVersionExA,GetModuleHandleA,GetModuleHandleA,_fast_error_exit,_fast_error_exit,GetCommandLineA,GetStartupInfoA,__wincmdln,GetModuleHandleA,

0_2_00414BB6

AV process strings found (often used to terminate AV products)

Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OllyDbg.exe
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tcpview.exe
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Wireshark.exe
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lordpe.exe
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: procexp.exe
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Procmon.exe
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: autoruns.exe
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: regmon.exe

Stealing of Sensitive Information

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\System32\certreq.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\System32\certreq.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Security

Jump to behavior

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\System32\certreq.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Bitcoin\Bitcoin-Qt			Jump to behavior
Source: C:\Windows\System32\certreq.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\GPUCache	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Maskable	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Maskable	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\c22ad13a-a322-4fd2-af93-38f6ee0e683c	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Platform Notifications	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\wasm	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Maskable	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Cache	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Maskable	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Monochrome	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Monochrome	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Monochrome	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_apdfllckaahabafndbhieahigkjlhalf	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\js	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Monochrome	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Safe Browsing Network	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Local Storage	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_nmmhkkegccagdldgiimedpiccmgmieda	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Monochrome	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Maskable	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Maskable	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Platform Notifications	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\JumpListIconsRecentClosed	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\js\index-dir	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Monochrome	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Session Storage	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_pjkljhegncpnkpknbcohdijeoejaedia	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb	Jump to behavior

ID:	877002
Product:	CloudBasic
Start time:	10:49:05
Start date:	28.05.2023
Sample:	09212399.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	57dd320eae0fadd155619407c8b5313c
SHA1:	fc2ce4b86d64025dbba19bb84e561a27fcb6ffb3
SHA256:	4a524e63c81e6cf9ab8a86f8de0973ea6a6d0973545867d34eba1b777e238628
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
09212399.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Windows Analysis Report 09212399.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Windows Analysis Report
09212399.exe