Windows Analysis Report 9vZbHuuOq6.exe

Detected TCP or UDP traffic on non-standard ports

Source: 9vZbHuuOq6.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED

Source:

Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: 9vZbHuuOq6.exe, 9vZbHuuOq6.exe, 00000000.00000002.2871416319.0000000000684000.00000040.00000001.01000000.00000003.sdmp

Source: global traffic

TCP traffic: 192.168.2.4:49732 -> 193.233.132.253:50500

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 193.233.132.253 193.233.132.253

Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

Code function: 0_2_0041E220 recv,setsockopt,recv,WSAGetLastError,recv,recv,setsockopt,recv,recv,recv,__Xtime_get_ticks,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,Sleep,Sleep,

0_2_0041E220

Source: 9vZbHuuOq6.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: 9vZbHuuOq6.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: 9vZbHuuOq6.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: 9vZbHuuOq6.exe, 9vZbHuuOq6.exe, 00000000.00000002.2871337352.0000000000515000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: 9vZbHuuOq6.exe, 00000000.00000002.2871337352.0000000000515000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.winimage.com/zLibDllDpRTpR
Source: 9vZbHuuOq6.exe	String found in binary or memory: https://ipinfo.io/
Source: 9vZbHuuOq6.exe, 00000000.00000002.2871337352.0000000000515000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: 9vZbHuuOq6.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: 9vZbHuuOq6.exe, 00000000.00000002.2872560581.00000000015FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: 9vZbHuuOq6.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Contains functionality to call native functions

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

Code function: 0_2_014DCAC2 NtSetInformationThread,

0_2_014DCAC2

Detected potential crypto function

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00B121AA	0_2_00B121AA
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0044C160	0_2_0044C160
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00A1012C	0_2_00A1012C
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00B5916C	0_2_00B5916C
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_004E925D	0_2_004E925D
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00487270	0_2_00487270
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00CB2298	0_2_00CB2298
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00A30202	0_2_00A30202
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00BD126B	0_2_00BD126B
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0047F360	0_2_0047F360
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00A1B3F8	0_2_00A1B3F8
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_004E03D0	0_2_004E03D0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00C164E8	0_2_00C164E8
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00483470	0_2_00483470
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00402410	0_2_00402410
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00406430	0_2_00406430
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00B0C43A	0_2_00B0C43A
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_014D85D6	0_2_014D85D6
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_004944E0	0_2_004944E0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0048B4F0	0_2_0048B4F0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0040C490	0_2_0040C490
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00416490	0_2_00416490
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0048C560	0_2_0048C560
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_004E959F	0_2_004E959F
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00AE657A	0_2_00AE657A
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00402600	0_2_00402600
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00A176D0	0_2_00A176D0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_004176B0	0_2_004176B0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00438770	0_2_00438770
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00D287ED	0_2_00D287ED
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0148069F	0_2_0148069F
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0043C800	0_2_0043C800
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00471830	0_2_00471830
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00B27802	0_2_00B27802
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_004378A0	0_2_004378A0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00401900	0_2_00401900
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_004FD9FE	0_2_004FD9FE
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_004099A0	0_2_004099A0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0041F9B0	0_2_0041F9B0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00C70AD0	0_2_00C70AD0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00481A30	0_2_00481A30
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_004E3B58	0_2_004E3B58
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0043FB60	0_2_0043FB60
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00B4DB89	0_2_00B4DB89
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00434B20	0_2_00434B20
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00AB7B09	0_2_00AB7B09
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0044EB90	0_2_0044EB90
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_004E5B90	0_2_004E5B90
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00433C30	0_2_00433C30
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_004F6CC5	0_2_004F6CC5
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_014C8DB8	0_2_014C8DB8
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0040CD50	0_2_0040CD50
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00A21DF6	0_2_00A21DF6
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00409D90	0_2_00409D90
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00414ED0	0_2_00414ED0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00418EE0	0_2_00418EE0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00CDAE7E	0_2_00CDAE7E
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00483EF0	0_2_00483EF0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0040BFC0	0_2_0040BFC0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00482FE0	0_2_00482FE0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0048BFB0	0_2_0048BFB0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0152DEAD	0_2_0152DEAD

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: String function: 004DD5B0 appears 33 times
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: String function: 00469F00 appears 32 times
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: String function: 004622E0 appears 35 times
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: String function: 00402D00 appears 42 times
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: String function: 0046A190 appears 120 times
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: String function: 00462150 appears 40 times

PE / OLE file has an invalid certificate

Source: 9vZbHuuOq6.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: 9vZbHuuOq6.exe, 00000000.00000000.1617659375.0000000001590000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamexml_magik.exe8 vs 9vZbHuuOq6.exe
Source: 9vZbHuuOq6.exe	Binary or memory string: OriginalFilenamexml_magik.exe8 vs 9vZbHuuOq6.exe

Source: 9vZbHuuOq6.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: mal96.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: 9vZbHuuOq6.exe, 9vZbHuuOq6.exe, 00000000.00000002.2871337352.0000000000515000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 9vZbHuuOq6.exe, 00000000.00000002.2871337352.0000000000515000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

Source: 9vZbHuuOq6.exe	Virustotal: Detection: 67%
Source: 9vZbHuuOq6.exe	ReversingLabs: Detection: 54%

Source: 9vZbHuuOq6.exe

String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

File read: C:\Users\user\Desktop\9vZbHuuOq6.exe

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Section loaded: mswsock.dll	Jump to behavior

Source: 9vZbHuuOq6.exe

Static file information: File size 8876792 > 1048576

Source: 9vZbHuuOq6.exe

Static PE information: Raw size of .MPRESS1 is bigger than: 0x100000 < 0x86c200

Source:

Data Obfuscation

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

Unpacked PE file: 0.2.9vZbHuuOq6.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

Code function: 0_2_00418BB0 LoadLibraryA,GetProcAddress,

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .MPRESS2

PE file contains sections with non-standard names

Source: 9vZbHuuOq6.exe	Static PE information: section name: .MPRESS1
Source: 9vZbHuuOq6.exe	Static PE information: section name: .MPRESS2

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_006ED748 push edx; mov dword ptr [esp], 3BBD5B6Ah	0_2_0097D09E
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_005A6C55 push ecx; mov dword ptr [esp], esp	0_2_009900CA
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00592243 push eax; mov dword ptr [esp], ecx	0_2_0098800D
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_006A09D3 push 06718C5Ch; mov dword ptr [esp], ecx	0_2_009651B2
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_005A65B9 push ebp; mov dword ptr [esp], esp	0_2_0095D1C5
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_005A6DD6 push ecx; mov dword ptr [esp], ebx	0_2_0097F138
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_004DD189 push ecx; ret	0_2_004DD19C
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00692488 push 0F84AB2Fh; mov dword ptr [esp], edx	0_2_00961D48
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_005B300B push ebp; mov dword ptr [esp], eax	0_2_0097015F
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_005B300B push 6C8B1C56h; mov dword ptr [esp], eax	0_2_00977BE3
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_006A476A push 6E368399h; mov dword ptr [esp], eax	0_2_0094D2F3
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0067F050 push ecx; mov dword ptr [esp], esi	0_2_0096C21B
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0067F050 push ecx; mov dword ptr [esp], eax	0_2_009782AF
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00599614 push edx; mov dword ptr [esp], esi	0_2_0094325B
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00599614 push 1342D5EBh; mov dword ptr [esp], eax	0_2_00956CAA
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0067C440 push 7C6DB4EDh; mov dword ptr [esp], esp	0_2_0097438E
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_005A3F6A push 61186C83h; mov dword ptr [esp], eax	0_2_00986EFB
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_006EF638 push ecx; mov dword ptr [esp], ebx	0_2_009613DE
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_006DE625 push ecx; mov dword ptr [esp], esi	0_2_0095D3F2
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00583288 push ebx; mov dword ptr [esp], esi	0_2_0097E310
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_006D5E1B push 547DE74Ch; mov dword ptr [esp], edx	0_2_0097C49A
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_006D5E1B push ebp; mov dword ptr [esp], 6FD7042Dh	0_2_0097C4A1
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_006D5E1B push ebp; mov dword ptr [esp], eax	0_2_00998A38
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_005A49C2 push 412391C8h; mov dword ptr [esp], ecx	0_2_009940F1
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_005A61F2 push 59739203h; mov dword ptr [esp], esi	0_2_0095C42B
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_006D6457 push edx; mov dword ptr [esp], 3F2DDC60h	0_2_00991E5D
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00584DD0 push eax; mov dword ptr [esp], 16AB23CEh	0_2_009925F9
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00581D14 push esi; mov dword ptr [esp], edi	0_2_00962548
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0067D79E push ebx; mov dword ptr [esp], ecx	0_2_0095F55B
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_005ABED2 push ecx; mov dword ptr [esp], edi	0_2_0095F604
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0071FC27 push ebp; mov dword ptr [esp], edi	0_2_00963565

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

Code function: 0_2_00481A30 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00481A30

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

Sandbox detection routine: GetCursorPos, DecisionNode, Sleep

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

Evasive API call chain: GetPEB, DecisionNodes, Sleep

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

Stalling execution: Execution stalls by calling Sleep

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Contains functionality to detect sandboxes (mouse cursor move detection)

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos,

0_2_0045D9F0

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

Window / User API: threadDelayed 6042

Found decision node followed by non-executed suspicious APIs

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe TID: 6576	Thread sleep count: 43 > 30			Jump to behavior
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe TID: 6576	Thread sleep count: 6042 > 30			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Last function: Thread delayed

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00464270 GetKeyboardLayoutList followed by cmp: cmp esi, edi and CTI: je 00464293h		0_2_00464270
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_004624B0 GetKeyboardLayoutList followed by cmp: cmp eax, 2eh and CTI: jc 004624C0h country: Upper Sorbian (hsb)		0_2_004624B0

Source: 9vZbHuuOq6.exe, 00000000.00000002.2872560581.000000000164A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

System information queried: ModuleInformation

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

Process information queried: ProcessInformation

Hides threads from debuggers

Anti Debugging

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Process queried: DebugObjectHandle	Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

Code function: 0_2_00418BB0 LoadLibraryA,GetProcAddress,

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0045D9F0 mov eax, dword ptr fs:[00000030h]	0_2_0045D9F0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0045D9F0 mov eax, dword ptr fs:[00000030h]	0_2_0045D9F0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0041AB90 mov eax, dword ptr fs:[00000030h]	0_2_0041AB90
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_004160B0 mov ecx, dword ptr fs:[00000030h]	0_2_004160B0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_004146B0 mov eax, dword ptr fs:[00000030h]	0_2_004146B0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0041AB90 mov eax, dword ptr fs:[00000030h]	0_2_0041AB90
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0041AB90 mov eax, dword ptr fs:[00000030h]	0_2_0041AB90
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0041AB90 mov eax, dword ptr fs:[00000030h]	0_2_0041AB90
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h]	0_2_00414ED0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h]	0_2_00414ED0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h]	0_2_00414ED0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h]	0_2_00414ED0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h]	0_2_00414ED0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h]	0_2_00414ED0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h]	0_2_00414ED0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h]	0_2_00414ED0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h]	0_2_00414ED0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h]	0_2_00414ED0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h]	0_2_00414ED0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h]	0_2_00414ED0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0041AB90 mov eax, dword ptr fs:[00000030h]	0_2_0041AB90
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0041EF10 mov eax, dword ptr fs:[00000030h]	0_2_0041EF10

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

Code function: 0_2_00409690 OutputDebugStringA,GetModuleHandleA,GetProcAddress,GetProcessHeap,RtlAllocateHeap,HeapFree,RtlAllocateHeap,HeapFree,

0_2_00409690

Contains functionality to query CPU information (cpuid)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

Code function: 0_2_004149F0 cpuid

0_2_004149F0

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

Code function: 0_2_004DC84D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

0_2_004DC84D

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

Code function: 0_2_0040AF70 GetModuleHandleA,GetProcAddress,GetVersionExA,

0_2_0040AF70

Stealing of Sensitive Information

Source: Yara match	File source: 0.2.9vZbHuuOq6.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: 9vZbHuuOq6.exe PID: 6584, type: MEMORYSTR

Remote Access Functionality

Multi AV Scanner detection for submitted file

Source: Yara match	File source: 0.2.9vZbHuuOq6.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: 9vZbHuuOq6.exe PID: 6584, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.233.132.253	unknown	Russian Federation		2895	FREE-NET-ASFREEnetEU	false

AV Detection

Source: 9vZbHuuOq6.exe	Virustotal: Detection: 67%			Perma Link
Source: 9vZbHuuOq6.exe	ReversingLabs: Detection: 54%

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

Code function: 0_2_0041F3EB CryptUnprotectData,LocalFree,

0_2_0041F3EB

Detected TCP or UDP traffic on non-standard ports

Source: 9vZbHuuOq6.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED

Source:

Source: global traffic

TCP traffic: 192.168.2.4:49732 -> 193.233.132.253:50500

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 193.233.132.253 193.233.132.253

Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.253

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

Code function: 0_2_0041E220 recv,setsockopt,recv,WSAGetLastError,recv,recv,setsockopt,recv,recv,recv,__Xtime_get_ticks,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,Sleep,Sleep,

0_2_0041E220

Source: 9vZbHuuOq6.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: 9vZbHuuOq6.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: 9vZbHuuOq6.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: 9vZbHuuOq6.exe, 9vZbHuuOq6.exe, 00000000.00000002.2871337352.0000000000515000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: 9vZbHuuOq6.exe, 00000000.00000002.2871337352.0000000000515000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.winimage.com/zLibDllDpRTpR
Source: 9vZbHuuOq6.exe	String found in binary or memory: https://ipinfo.io/
Source: 9vZbHuuOq6.exe, 00000000.00000002.2871337352.0000000000515000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: 9vZbHuuOq6.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: 9vZbHuuOq6.exe, 00000000.00000002.2872560581.00000000015FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: 9vZbHuuOq6.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Contains functionality to call native functions

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

Code function: 0_2_014DCAC2 NtSetInformationThread,

0_2_014DCAC2

Detected potential crypto function

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00B121AA	0_2_00B121AA
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0044C160	0_2_0044C160
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00A1012C	0_2_00A1012C
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00B5916C	0_2_00B5916C
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_004E925D	0_2_004E925D
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00487270	0_2_00487270
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00CB2298	0_2_00CB2298
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00A30202	0_2_00A30202
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00BD126B	0_2_00BD126B
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0047F360	0_2_0047F360
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00A1B3F8	0_2_00A1B3F8
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_004E03D0	0_2_004E03D0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00C164E8	0_2_00C164E8
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00483470	0_2_00483470
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00402410	0_2_00402410
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00406430	0_2_00406430
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00B0C43A	0_2_00B0C43A
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_014D85D6	0_2_014D85D6
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_004944E0	0_2_004944E0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0048B4F0	0_2_0048B4F0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0040C490	0_2_0040C490
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00416490	0_2_00416490
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0048C560	0_2_0048C560
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_004E959F	0_2_004E959F
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00AE657A	0_2_00AE657A
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00402600	0_2_00402600
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00A176D0	0_2_00A176D0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_004176B0	0_2_004176B0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00438770	0_2_00438770
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00D287ED	0_2_00D287ED
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0148069F	0_2_0148069F
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0043C800	0_2_0043C800
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00471830	0_2_00471830
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00B27802	0_2_00B27802
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_004378A0	0_2_004378A0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00401900	0_2_00401900
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_004FD9FE	0_2_004FD9FE
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_004099A0	0_2_004099A0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0041F9B0	0_2_0041F9B0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00C70AD0	0_2_00C70AD0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00481A30	0_2_00481A30
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_004E3B58	0_2_004E3B58
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0043FB60	0_2_0043FB60
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00B4DB89	0_2_00B4DB89
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00434B20	0_2_00434B20
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00AB7B09	0_2_00AB7B09
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0044EB90	0_2_0044EB90
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_004E5B90	0_2_004E5B90
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00433C30	0_2_00433C30
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_004F6CC5	0_2_004F6CC5
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_014C8DB8	0_2_014C8DB8
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0040CD50	0_2_0040CD50
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00A21DF6	0_2_00A21DF6
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00409D90	0_2_00409D90
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00414ED0	0_2_00414ED0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00418EE0	0_2_00418EE0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00CDAE7E	0_2_00CDAE7E
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00483EF0	0_2_00483EF0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0040BFC0	0_2_0040BFC0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00482FE0	0_2_00482FE0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0048BFB0	0_2_0048BFB0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0152DEAD	0_2_0152DEAD

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: String function: 004DD5B0 appears 33 times
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: String function: 00469F00 appears 32 times
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: String function: 004622E0 appears 35 times
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: String function: 00402D00 appears 42 times
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: String function: 0046A190 appears 120 times
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: String function: 00462150 appears 40 times

PE / OLE file has an invalid certificate

Source: 9vZbHuuOq6.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: 9vZbHuuOq6.exe, 00000000.00000000.1617659375.0000000001590000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamexml_magik.exe8 vs 9vZbHuuOq6.exe
Source: 9vZbHuuOq6.exe	Binary or memory string: OriginalFilenamexml_magik.exe8 vs 9vZbHuuOq6.exe

Source: 9vZbHuuOq6.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: mal96.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: 9vZbHuuOq6.exe, 9vZbHuuOq6.exe, 00000000.00000002.2871337352.0000000000515000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 9vZbHuuOq6.exe, 00000000.00000002.2871337352.0000000000515000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

Source: 9vZbHuuOq6.exe	Virustotal: Detection: 67%
Source: 9vZbHuuOq6.exe	ReversingLabs: Detection: 54%

Source: 9vZbHuuOq6.exe

String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

File read: C:\Users\user\Desktop\9vZbHuuOq6.exe

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Section loaded: mswsock.dll	Jump to behavior

Source: 9vZbHuuOq6.exe

Static file information: File size 8876792 > 1048576

Source: 9vZbHuuOq6.exe

Static PE information: Raw size of .MPRESS1 is bigger than: 0x100000 < 0x86c200

Source:

Data Obfuscation

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

Unpacked PE file: 0.2.9vZbHuuOq6.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

Code function: 0_2_00418BB0 LoadLibraryA,GetProcAddress,

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .MPRESS2

PE file contains sections with non-standard names

Source: 9vZbHuuOq6.exe	Static PE information: section name: .MPRESS1
Source: 9vZbHuuOq6.exe	Static PE information: section name: .MPRESS2

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_006ED748 push edx; mov dword ptr [esp], 3BBD5B6Ah	0_2_0097D09E
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_005A6C55 push ecx; mov dword ptr [esp], esp	0_2_009900CA
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00592243 push eax; mov dword ptr [esp], ecx	0_2_0098800D
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_006A09D3 push 06718C5Ch; mov dword ptr [esp], ecx	0_2_009651B2
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_005A65B9 push ebp; mov dword ptr [esp], esp	0_2_0095D1C5
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_005A6DD6 push ecx; mov dword ptr [esp], ebx	0_2_0097F138
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_004DD189 push ecx; ret	0_2_004DD19C
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00692488 push 0F84AB2Fh; mov dword ptr [esp], edx	0_2_00961D48
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_005B300B push ebp; mov dword ptr [esp], eax	0_2_0097015F
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_005B300B push 6C8B1C56h; mov dword ptr [esp], eax	0_2_00977BE3
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_006A476A push 6E368399h; mov dword ptr [esp], eax	0_2_0094D2F3
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0067F050 push ecx; mov dword ptr [esp], esi	0_2_0096C21B
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0067F050 push ecx; mov dword ptr [esp], eax	0_2_009782AF
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00599614 push edx; mov dword ptr [esp], esi	0_2_0094325B
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00599614 push 1342D5EBh; mov dword ptr [esp], eax	0_2_00956CAA
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0067C440 push 7C6DB4EDh; mov dword ptr [esp], esp	0_2_0097438E
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_005A3F6A push 61186C83h; mov dword ptr [esp], eax	0_2_00986EFB
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_006EF638 push ecx; mov dword ptr [esp], ebx	0_2_009613DE
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_006DE625 push ecx; mov dword ptr [esp], esi	0_2_0095D3F2
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00583288 push ebx; mov dword ptr [esp], esi	0_2_0097E310
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_006D5E1B push 547DE74Ch; mov dword ptr [esp], edx	0_2_0097C49A
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_006D5E1B push ebp; mov dword ptr [esp], 6FD7042Dh	0_2_0097C4A1
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_006D5E1B push ebp; mov dword ptr [esp], eax	0_2_00998A38
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_005A49C2 push 412391C8h; mov dword ptr [esp], ecx	0_2_009940F1
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_005A61F2 push 59739203h; mov dword ptr [esp], esi	0_2_0095C42B
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_006D6457 push edx; mov dword ptr [esp], 3F2DDC60h	0_2_00991E5D
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00584DD0 push eax; mov dword ptr [esp], 16AB23CEh	0_2_009925F9
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00581D14 push esi; mov dword ptr [esp], edi	0_2_00962548
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0067D79E push ebx; mov dword ptr [esp], ecx	0_2_0095F55B
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_005ABED2 push ecx; mov dword ptr [esp], edi	0_2_0095F604
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0071FC27 push ebp; mov dword ptr [esp], edi	0_2_00963565

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

0_2_00481A30

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

Sandbox detection routine: GetCursorPos, DecisionNode, Sleep

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

Evasive API call chain: GetPEB, DecisionNodes, Sleep

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

Stalling execution: Execution stalls by calling Sleep

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Contains functionality to detect sandboxes (mouse cursor move detection)

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos,

0_2_0045D9F0

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

Window / User API: threadDelayed 6042

Found decision node followed by non-executed suspicious APIs

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe TID: 6576	Thread sleep count: 43 > 30			Jump to behavior
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe TID: 6576	Thread sleep count: 6042 > 30			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Last function: Thread delayed

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00464270 GetKeyboardLayoutList followed by cmp: cmp esi, edi and CTI: je 00464293h		0_2_00464270
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_004624B0 GetKeyboardLayoutList followed by cmp: cmp eax, 2eh and CTI: jc 004624C0h country: Upper Sorbian (hsb)		0_2_004624B0

Source: 9vZbHuuOq6.exe, 00000000.00000002.2872560581.000000000164A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

System information queried: ModuleInformation

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

Process information queried: ProcessInformation

Hides threads from debuggers

Anti Debugging

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Process queried: DebugObjectHandle	Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

Code function: 0_2_00418BB0 LoadLibraryA,GetProcAddress,

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0045D9F0 mov eax, dword ptr fs:[00000030h]	0_2_0045D9F0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0045D9F0 mov eax, dword ptr fs:[00000030h]	0_2_0045D9F0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0041AB90 mov eax, dword ptr fs:[00000030h]	0_2_0041AB90
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_004160B0 mov ecx, dword ptr fs:[00000030h]	0_2_004160B0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_004146B0 mov eax, dword ptr fs:[00000030h]	0_2_004146B0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0041AB90 mov eax, dword ptr fs:[00000030h]	0_2_0041AB90
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0041AB90 mov eax, dword ptr fs:[00000030h]	0_2_0041AB90
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0041AB90 mov eax, dword ptr fs:[00000030h]	0_2_0041AB90
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h]	0_2_00414ED0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h]	0_2_00414ED0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h]	0_2_00414ED0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h]	0_2_00414ED0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h]	0_2_00414ED0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h]	0_2_00414ED0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h]	0_2_00414ED0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h]	0_2_00414ED0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h]	0_2_00414ED0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h]	0_2_00414ED0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h]	0_2_00414ED0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h]	0_2_00414ED0
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0041AB90 mov eax, dword ptr fs:[00000030h]	0_2_0041AB90
Source: C:\Users\user\Desktop\9vZbHuuOq6.exe	Code function: 0_2_0041EF10 mov eax, dword ptr fs:[00000030h]	0_2_0041EF10

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

Code function: 0_2_00409690 OutputDebugStringA,GetModuleHandleA,GetProcAddress,GetProcessHeap,RtlAllocateHeap,HeapFree,RtlAllocateHeap,HeapFree,

0_2_00409690

Contains functionality to query CPU information (cpuid)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

Code function: 0_2_004149F0 cpuid

0_2_004149F0

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

Code function: 0_2_004DC84D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

0_2_004DC84D

Source: C:\Users\user\Desktop\9vZbHuuOq6.exe

Code function: 0_2_0040AF70 GetModuleHandleA,GetProcAddress,GetVersionExA,

0_2_0040AF70

Stealing of Sensitive Information

Source: Yara match	File source: 0.2.9vZbHuuOq6.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: 9vZbHuuOq6.exe PID: 6584, type: MEMORYSTR

Remote Access Functionality