Windows Analysis Report
WggZw957eT.exe

Overview

General Information

Sample name: WggZw957eT.exe
renamed because original name is a hash value
Original sample name: dac0dcb27faee13abe4f3a6ca8b8d157.exe
Analysis ID: 1434735
MD5: dac0dcb27faee13abe4f3a6ca8b8d157
SHA1: 7a1681cec1309115e3ec2116664b0eae3cb81ef4
SHA256: 56f9b99e3802e1d339c450401d3e42374c4fd3cbcbdb35df136fe1e013aed9c9
Tags: 32Amadeyexetrojan
Infos:

Detection

Amadey
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected UAC Bypass using CMSTP
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Sample uses string decryption to hide its real strings
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\ahsqcnrtkaiwv Avira: detection malicious, Label: HEUR/AGEN.1319380
Source: C:\Users\user\AppData\Local\Temp\dqatklnkhkik Avira: detection malicious, Label: HEUR/AGEN.1319380
Found malware configuration
Source: 6.2.netsh.exe.57700c8.7.raw.unpack Malware Configuration Extractor: Amadey {"C2 url": "bestfitnessgymintheworld.com/8BvxwQdec3/index.php", "Version": "4.19"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Virustotal: Detection: 59% Perma Link
Multi AV Scanner detection for submitted file
Source: WggZw957eT.exe ReversingLabs: Detection: 50%
Source: WggZw957eT.exe Virustotal: Detection: 59% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\ahsqcnrtkaiwv Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\dqatklnkhkik Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: bestfitnessgymintheworld.com
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: /8BvxwQdec3/index.php
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: S-%lu-
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: 2043a89613
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: Dctooux.exe
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: Startup
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: cmd /C RMDIR /s/q
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: rundll32
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: Programs
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: %USERPROFILE%
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: cred.dll|clip.dll|
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: http://
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: https://
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: /Plugins/
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: &unit=
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: shell32.dll
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: kernel32.dll
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: GetNativeSystemInfo
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: ProgramData\
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: AVAST Software
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: Kaspersky Lab
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: Panda Security
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: Doctor Web
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: 360TotalSecurity
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: Bitdefender
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: Norton
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: Sophos
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: Comodo
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: WinDefender
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: 0123456789
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: ------
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: ?scr=1
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: ComputerName
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: -unicode-
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: VideoID
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: DefaultSettings.XResolution
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: DefaultSettings.YResolution
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: ProductName
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: CurrentBuild
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: rundll32.exe
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: "taskkill /f /im "
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: " && timeout 1 && del
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: && Exit"
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: " && ren
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: Powershell.exe
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: -executionpolicy remotesigned -File "
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: shutdown -s -t 0
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: random
Source: 6.2.netsh.exe.57700c8.7.raw.unpack String decryptor: hC{p`-6

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 2.2.netsh.exe.5ca8378.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.netsh.exe.522ff78.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.netsh.exe.5ca8f78.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.explorer.exe.4f46f78.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.netsh.exe.5c64a8a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.WggZw957eT.exe.5b3ca0e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.explorer.exe.4fe5378.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.explorer.exe.4f46378.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.explorer.exe.4fe5f78.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.explorer.exe.4f02a8a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.netsh.exe.522f378.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.WggZw957eT.exe.5b3be0e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.WggZw957eT.exe.5af8520.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.explorer.exe.4fa1a8a.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.netsh.exe.51eba8a.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: WggZw957eT.exe PID: 1196, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: netsh.exe PID: 5488, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: netsh.exe PID: 2332, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 4260, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 4268, type: MEMORYSTR

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\WggZw957eT.exe Unpacked PE file: 0.2.WggZw957eT.exe.400000.0.unpack
Uses 32bit PE files
Source: WggZw957eT.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: Binary string: wntdll.pdbUGP source: WggZw957eT.exe, 00000000.00000002.1462755083.0000000006320000.00000004.00000800.00020000.00000000.sdmp, WggZw957eT.exe, 00000000.00000002.1459562690.0000000005646000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710317534.00000000058BA000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710611158.0000000005D40000.00000004.00001000.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806882908.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806602191.0000000004E36000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818670198.0000000004B52000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1819011508.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806409348.0000000005070000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1805919560.0000000004BF7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: WggZw957eT.exe, 00000000.00000002.1462755083.0000000006320000.00000004.00000800.00020000.00000000.sdmp, WggZw957eT.exe, 00000000.00000002.1459562690.0000000005646000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710317534.00000000058BA000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710611158.0000000005D40000.00000004.00001000.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806882908.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806602191.0000000004E36000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818670198.0000000004B52000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1819011508.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806409348.0000000005070000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1805919560.0000000004BF7000.00000004.00000020.00020000.00000000.sdmp

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: bestfitnessgymintheworld.com/8BvxwQdec3/index.php
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: WggZw957eT.exe, XoWatcher.exe.2.dr String found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
Source: WggZw957eT.exe, XoWatcher.exe.2.dr String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0Q
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: WggZw957eT.exe, XoWatcher.exe.2.dr String found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
Source: WggZw957eT.exe, XoWatcher.exe.2.dr String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0
Source: WggZw957eT.exe, XoWatcher.exe.2.dr String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0L
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: WggZw957eT.exe, XoWatcher.exe.2.dr String found in binary or memory: http://ocsps.ssl.com0
Source: WggZw957eT.exe, XoWatcher.exe.2.dr String found in binary or memory: http://ocsps.ssl.com0?
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://s2.symcb.com0
Source: netsh.exe, 00000002.00000002.1709871097.00000000037C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: WggZw957eT.exe, XoWatcher.exe.2.dr String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcd.com0&
Source: Amcache.hve.15.dr String found in binary or memory: http://upx.sf.net
Source: XoWatcher.exe.2.dr String found in binary or memory: http://www.aignes.com
Source: WggZw957eT.exe, XoWatcher.exe.2.dr String found in binary or memory: http://www.aignes.com/helpd/bugreport.htmU
Source: WggZw957eT.exe, XoWatcher.exe.2.dr String found in binary or memory: http://www.aignes.comU
Source: WggZw957eT.exe, XoWatcher.exe.2.dr String found in binary or memory: http://www.aignes.comopen
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: WggZw957eT.exe, 00000000.00000002.1460790930.00000000058F1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C15000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.000000000519C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, explorer.exe, 0000000B.00000002.1818871104.0000000004EB3000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F52000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.info-zip.org/
Source: WggZw957eT.exe, XoWatcher.exe.2.dr String found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/cps0(
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/rpa00
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.vmware.com/0
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.vmware.com/0/
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/cps0%
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/rpa0
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: WggZw957eT.exe, XoWatcher.exe.2.dr String found in binary or memory: https://www.ssl.com/repository0

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 2.2.netsh.exe.5ca8378.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.netsh.exe.522ff78.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.netsh.exe.5ca8f78.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.explorer.exe.4f46f78.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.netsh.exe.5c64a8a.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.WggZw957eT.exe.5b3ca0e.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.explorer.exe.4fe5378.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.explorer.exe.4f46378.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.explorer.exe.4fe5f78.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.explorer.exe.4f02a8a.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.netsh.exe.522f378.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.WggZw957eT.exe.5b3be0e.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.WggZw957eT.exe.5af8520.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.explorer.exe.4fa1a8a.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.netsh.exe.51eba8a.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Creates files inside the system directory
Source: C:\Windows\SysWOW64\netsh.exe File created: C:\Windows\Tasks\SecurityComv4.job Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_04ED20A2 11_2_04ED20A2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_04ED1C92 11_2_04ED1C92
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_04EBC982 11_2_04EBC982
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_04EE8923 11_2_04EE8923
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_04EDF62A 11_2_04EDF62A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_04ED5BB2 11_2_04ED5BB2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_04EBF792 11_2_04EBF792
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_04ED3B42 11_2_04ED3B42
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_04ED79B2 11_2_04ED79B2
One or more processes crash
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 488
PE / OLE file has an invalid certificate
Source: WggZw957eT.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: WggZw957eT.exe, 00000000.00000002.1455401698.0000000002ACB000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamecomctl32.DLL.MUIj% vs WggZw957eT.exe
Source: WggZw957eT.exe, 00000000.00000002.1459562690.0000000005769000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs WggZw957eT.exe
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamezip.exe( vs WggZw957eT.exe
Source: WggZw957eT.exe, 00000000.00000002.1462755083.000000000644D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs WggZw957eT.exe
Uses 32bit PE files
Source: WggZw957eT.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Yara signature match
Source: 2.2.netsh.exe.5ca8378.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.netsh.exe.522ff78.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.netsh.exe.5ca8f78.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.explorer.exe.4f46f78.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.netsh.exe.5c64a8a.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.WggZw957eT.exe.5b3ca0e.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.explorer.exe.4fe5378.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.explorer.exe.4f46378.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.explorer.exe.4fe5f78.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.explorer.exe.4f02a8a.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.netsh.exe.522f378.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.WggZw957eT.exe.5b3be0e.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.WggZw957eT.exe.5af8520.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.explorer.exe.4fa1a8a.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.netsh.exe.51eba8a.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winEXE@14/14@0/0
Source: C:\Windows\SysWOW64\netsh.exe File created: C:\Users\user\AppData\Roaming\Wmx_Launch_x64 Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$4ac
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4260
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1916:120:WilError_03
Source: C:\Users\user\Desktop\WggZw957eT.exe Mutant created: \Sessions\1\BaseNamedObjects\HookTThread$4ac
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1b98
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$113c
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Mutant created: \Sessions\1\BaseNamedObjects\HookTThread$113c
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Mutant created: \Sessions\1\BaseNamedObjects\amstart-portable-start-menuC
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3284:120:WilError_03
Source: C:\Users\user\Desktop\WggZw957eT.exe File created: C:\Users\user\AppData\Local\Temp\WggZw957eT.madExcept Jump to behavior
Source: Yara match File source: WggZw957eT.exe, type: SAMPLE
Source: Yara match File source: 0.0.WggZw957eT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1415289609.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1456718573.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe, type: DROPPED
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: WggZw957eT.exe ReversingLabs: Detection: 50%
Source: WggZw957eT.exe Virustotal: Detection: 59%
Source: explorer.exe String found in binary or memory: wild-stop-dirs
Source: explorer.exe String found in binary or memory: more-help
Source: WggZw957eT.exe String found in binary or memory: 250-STARTTLS
Source: WggZw957eT.exe String found in binary or memory: <html><head><META http-equiv=Content-Type content="text/html; charset=utf-8"></head><body><!--StartFragment-->
Source: WggZw957eT.exe String found in binary or memory: n<html><head><META http-equiv=Content-Type content="text/html; charset=utf-8"></head><body><!--StartFragment-->
Source: WggZw957eT.exe String found in binary or memory: XAt least one installed file seems to be corrupted, please reinstall Portable-Start-Menu!
Source: WggZw957eT.exe String found in binary or memory: amstart-portable-start-menu
Source: C:\Users\user\Desktop\WggZw957eT.exe File read: C:\Users\user\Desktop\WggZw957eT.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\WggZw957eT.exe "C:\Users\user\Desktop\WggZw957eT.exe"
Source: C:\Users\user\Desktop\WggZw957eT.exe Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 488
Source: C:\Users\user\Desktop\WggZw957eT.exe Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe Section loaded: faultrep.dll Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe Section loaded: dbgcore.dll Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe Section loaded: olepro32.dll Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe Section loaded: pla.dll Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe Section loaded: tdh.dll Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ifmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mprapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasmontr.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mfc42u.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: authfwcfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwpolicyiomgr.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dhcpcmonitor.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dot3cfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dot3api.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: onex.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: eappcfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: eappprxy.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwcfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: hnetmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netshell.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netsetupapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netiohlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: httpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshipsec.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: polstore.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winipsec.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshwfp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: p2pnetsh.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: p2p.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rpcnsh.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: whhelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wlancfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wlanapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wshelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: peerdistsh.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wcmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mobilenetworking.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ktmw32.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mprmsg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: faultrep.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: dbgcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: olepro32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: pla.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: tdh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: faultrep.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: dbgcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: olepro32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ifmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mprapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasmontr.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mfc42u.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: authfwcfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwpolicyiomgr.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dhcpcmonitor.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dot3cfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dot3api.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: onex.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: eappcfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: eappprxy.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwcfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: hnetmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netshell.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netsetupapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netiohlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: httpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshipsec.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: polstore.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winipsec.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshwfp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: p2pnetsh.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: p2p.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rpcnsh.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: whhelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wlancfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wlanapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wshelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: peerdistsh.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wcmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mobilenetworking.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ktmw32.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mprmsg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: WggZw957eT.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: WggZw957eT.exe Static file information: File size 5892944 > 1048576
Source: WggZw957eT.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x35ae00
Source: WggZw957eT.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x22f200
Source: WggZw957eT.exe Static PE information: More than 200 imports for user32.dll
Source: Binary string: wntdll.pdbUGP source: WggZw957eT.exe, 00000000.00000002.1462755083.0000000006320000.00000004.00000800.00020000.00000000.sdmp, WggZw957eT.exe, 00000000.00000002.1459562690.0000000005646000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710317534.00000000058BA000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710611158.0000000005D40000.00000004.00001000.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806882908.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806602191.0000000004E36000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818670198.0000000004B52000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1819011508.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806409348.0000000005070000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1805919560.0000000004BF7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: WggZw957eT.exe, 00000000.00000002.1462755083.0000000006320000.00000004.00000800.00020000.00000000.sdmp, WggZw957eT.exe, 00000000.00000002.1459562690.0000000005646000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710317534.00000000058BA000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710611158.0000000005D40000.00000004.00001000.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806882908.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806602191.0000000004E36000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818670198.0000000004B52000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1819011508.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806409348.0000000005070000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1805919560.0000000004BF7000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\WggZw957eT.exe Unpacked PE file: 0.2.WggZw957eT.exe.400000.0.unpack
PE file contains sections with non-standard names
Source: WggZw957eT.exe Static PE information: section name: .didata
Source: XoWatcher.exe.2.dr Static PE information: section name: .didata
Source: ahsqcnrtkaiwv.2.dr Static PE information: section name: brua
Source: dqatklnkhkik.6.dr Static PE information: section name: brua
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_04EDACB2 push eax; ret 11_2_04EDACE0
Drops PE files
Source: C:\Windows\SysWOW64\netsh.exe File created: C:\Users\user\AppData\Local\Temp\dqatklnkhkik Jump to dropped file
Source: C:\Windows\SysWOW64\netsh.exe File created: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Jump to dropped file
Source: C:\Windows\SysWOW64\netsh.exe File created: C:\Users\user\AppData\Local\Temp\ahsqcnrtkaiwv Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\SysWOW64\netsh.exe File created: C:\Users\user\AppData\Local\Temp\ahsqcnrtkaiwv Jump to dropped file
Source: C:\Windows\SysWOW64\netsh.exe File created: C:\Users\user\AppData\Local\Temp\dqatklnkhkik Jump to dropped file
Creates job files (autostart)
Source: C:\Windows\SysWOW64\netsh.exe File created: C:\Windows\Tasks\SecurityComv4.job Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Found hidden mapped module (file has been removed from disk)
Source: C:\Windows\SysWOW64\netsh.exe Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\AHSQCNRTKAIWV
Source: C:\Windows\SysWOW64\netsh.exe Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\DQATKLNKHKIK
Source: C:\Users\user\Desktop\WggZw957eT.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\netsh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dqatklnkhkik Jump to dropped file
Source: C:\Windows\SysWOW64\netsh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ahsqcnrtkaiwv Jump to dropped file
Queries keyboard layouts
Source: C:\Users\user\Desktop\WggZw957eT.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809 Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809 Jump to behavior
Source: Amcache.hve.15.dr Binary or memory string: VMware
Source: Amcache.hve.15.dr Binary or memory string: VMware Virtual USB Mouse
Source: explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: http://www.vmware.com/0
Source: Amcache.hve.15.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.15.dr Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.15.dr Binary or memory string: VMware, Inc.
Source: explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.1!0
Source: Amcache.hve.15.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.15.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.15.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.15.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: http://www.vmware.com/0/
Source: Amcache.hve.15.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.1
Source: explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.0
Source: netsh.exe, 00000006.00000002.1805766913.000000000085A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllj
Source: Amcache.hve.15.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.15.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.15.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: netsh.exe, 00000002.00000002.1709871097.000000000378A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.15.dr Binary or memory string: vmci.sys
Source: explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: noreply@vmware.com0
Source: Amcache.hve.15.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.15.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.15.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.15.dr Binary or memory string: VMware20,1
Source: Amcache.hve.15.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.15.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.15.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.15.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.15.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.15.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.15.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.15.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.15.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.15.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.15.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\WggZw957eT.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\explorer.exe Process queried: DebugPort Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_04EB5692 mov eax, dword ptr fs:[00000030h] 11_2_04EB5692

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\WggZw957eT.exe NtProtectVirtualMemory: Direct from: 0x6CF8D096 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe NtProtectVirtualMemory: Direct from: 0x6CF930E5 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe NtSetInformationThread: Direct from: 0x6DCECF Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe NtQuerySystemInformation: Direct from: 0x558855 Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\SysWOW64\netsh.exe Memory written: PID: 4260 base: 2BF0000 value: 00 Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Memory written: PID: 4260 base: 2D4C2D8 value: 00 Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Memory written: PID: 4260 base: 2D4D1E8 value: 00 Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Memory written: PID: 4260 base: 8179C0 value: 55 Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Memory written: PID: 4260 base: 2D4D008 value: 00 Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Memory written: PID: 4260 base: 170000 value: 00 Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Memory written: PID: 4268 base: 2BF0000 value: 00 Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Memory written: PID: 4268 base: 2D292D8 value: 00 Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Memory written: PID: 4268 base: 2D2A1E8 value: 00 Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Memory written: PID: 4268 base: 8179C0 value: 55 Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Memory written: PID: 4268 base: 2D2A008 value: 00 Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Memory written: PID: 4268 base: 2E80000 value: 00 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\WggZw957eT.exe Section loaded: NULL target: C:\Windows\SysWOW64\netsh.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: NULL target: C:\Windows\SysWOW64\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Section loaded: NULL target: C:\Windows\SysWOW64\netsh.exe protection: read write Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\netsh.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 8179C0 Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 2D4D008 Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 170000 Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 8179C0 Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 2D2A008 Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 2E80000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\WggZw957eT.exe Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: WggZw957eT.exe, XoWatcher.exe.2.dr Binary or memory string: Shell_TrayWndSV
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\WggZw957eT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\9e2366f7 VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe Queries volume information: C:\Users\user\AppData\Local\Temp\a391ff10 VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Queries volume information: C:\ VolumeInformation Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Uses netsh to modify the Windows network and firewall settings
Source: C:\Users\user\Desktop\WggZw957eT.exe Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.15.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.15.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.15.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.15.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.15.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Amadey
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected Amadeys stealer DLL
Source: Yara match File source: 2.2.netsh.exe.62500c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.netsh.exe.62500c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.netsh.exe.57700c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.netsh.exe.57700c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.1817979458.0000000000171000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1805311134.0000000002E81000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1807110229.0000000005770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1710839057.0000000006250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\dqatklnkhkik, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\ahsqcnrtkaiwv, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1434735 Sample: WggZw957eT.exe Startdate: 01/05/2024 Architecture: WINDOWS Score: 100 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for dropped file 2->49 51 7 other signatures 2->51 8 WggZw957eT.exe 4 2->8         started        11 XoWatcher.exe 4 2->11         started        13 XoWatcher.exe 2 2->13         started        process3 signatures4 53 Detected unpacking (overwrites its own PE header) 8->53 55 Uses netsh to modify the Windows network and firewall settings 8->55 57 Maps a DLL or memory area into another process 8->57 15 netsh.exe 7 8->15         started        59 Multi AV Scanner detection for dropped file 11->59 61 Found direct / indirect Syscall (likely to bypass EDR) 11->61 19 netsh.exe 3 11->19         started        process5 file6 31 C:\Users\user\AppData\...\XoWatcher.exe, PE32 15->31 dropped 33 C:\Users\user\AppData\Local\...\ahsqcnrtkaiwv, PE32 15->33 dropped 37 Injects code into the Windows Explorer (explorer.exe) 15->37 39 Writes to foreign memory regions 15->39 41 Found hidden mapped module (file has been removed from disk) 15->41 43 Maps a DLL or memory area into another process 15->43 21 explorer.exe 15->21         started        23 conhost.exe 15->23         started        35 C:\Users\user\AppData\Local\...\dqatklnkhkik, PE32 19->35 dropped 25 conhost.exe 19->25         started        27 explorer.exe 19->27         started        signatures7 process8 process9 29 WerFault.exe 20 16 21->29         started       
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
bestfitnessgymintheworld.com/8BvxwQdec3/index.php true
  • 2%, Virustotal, Browse
  • Avira URL Cloud: safe
 low