Analysis

Category Package Started Completed Duration Options Log
FILE Ursnif 2020-03-24 09:51:00 2020-03-24 09:55:52 292 seconds Show Options Show Log
  • Info: The analysis hit the critical timeout, terminating.
bp1 = 169314
bp0 = 123224
2020-03-24 09:51:00,000 [root] INFO: Date set to: 03-24-20, time set to: 09:51:00, timeout set to: 200
2020-03-24 09:51:00,358 [root] DEBUG: Starting analyzer from: C:\cnqkyfdy
2020-03-24 09:51:00,358 [root] DEBUG: Storing results at: C:\NZKWvu
2020-03-24 09:51:00,358 [root] DEBUG: Pipe server name: \\.\PIPE\QbkUTXyNHp
2020-03-24 09:51:00,358 [root] INFO: Analysis package "Ursnif" has been specified.
2020-03-24 09:51:05,865 [root] DEBUG: Started auxiliary module Browser
2020-03-24 09:51:05,865 [root] DEBUG: Started auxiliary module Curtain
2020-03-24 09:51:05,865 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2020-03-24 09:51:08,798 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-03-24 09:51:08,813 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-03-24 09:51:08,813 [root] DEBUG: Started auxiliary module DigiSig
2020-03-24 09:51:08,828 [root] DEBUG: Started auxiliary module Disguise
2020-03-24 09:51:08,828 [root] DEBUG: Started auxiliary module Human
2020-03-24 09:51:08,828 [root] DEBUG: Started auxiliary module Screenshots
2020-03-24 09:51:08,828 [root] DEBUG: Started auxiliary module Sysmon
2020-03-24 09:51:08,828 [root] DEBUG: Started auxiliary module Usage
2020-03-24 09:51:08,828 [root] INFO: Analyzer: DLL set to Ursnif.dll from package modules.packages.Ursnif
2020-03-24 09:51:08,828 [root] INFO: Analyzer: DLL_64 set to Ursnif_x64.dll from package modules.packages.Ursnif
2020-03-24 09:51:08,859 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\GZFMSI9xpp5Y7lH.exe" with arguments "" with pid 1964
2020-03-24 09:51:08,859 [lib.api.process] INFO: Option 'bp1' with value '169314' sent to monitor
2020-03-24 09:51:08,859 [lib.api.process] INFO: Option 'bp0' with value '123224' sent to monitor
2020-03-24 09:51:08,859 [lib.api.process] INFO: Option 'exclude-apis' with value 'NtCreateFile:NtWriteFile:NtDeleteFile:NtQueryInformationFile' sent to monitor
2020-03-24 09:51:08,859 [lib.api.process] INFO: 32-bit DLL to inject is C:\cnqkyfdy\dll\InonXiUq.dll, loader C:\cnqkyfdy\bin\GMqduZp.exe
2020-03-24 09:51:08,891 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\QbkUTXyNHp.
2020-03-24 09:51:08,891 [root] DEBUG: Loader: Injecting process 1964 (thread 420) with C:\cnqkyfdy\dll\InonXiUq.dll.
2020-03-24 09:51:08,891 [root] DEBUG: Process image base: 0x00400000
2020-03-24 09:51:08,891 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\cnqkyfdy\dll\InonXiUq.dll.
2020-03-24 09:51:08,891 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 09:51:08,891 [root] DEBUG: Successfully injected DLL C:\cnqkyfdy\dll\InonXiUq.dll.
2020-03-24 09:51:08,907 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1964
2020-03-24 09:51:10,920 [lib.api.process] INFO: Successfully resumed process with pid 1964
2020-03-24 09:51:10,920 [root] INFO: Added new process to list with pid: 1964
2020-03-24 09:51:11,246 [root] DEBUG: (0) CAPE debug - unrecognised key terminate-processes.
2020-03-24 09:51:11,246 [root] DEBUG: (0) bp1 set to 0x29562
2020-03-24 09:51:11,246 [root] DEBUG: (0) bp0 set to 0x1e158
2020-03-24 09:51:11,355 [root] INFO: Disabling sleep skipping.
2020-03-24 09:51:11,355 [root] INFO: Disabling sleep skipping.
2020-03-24 09:51:11,355 [root] DEBUG: (1964) WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2020-03-24 09:51:11,355 [root] INFO: Disabling sleep skipping.
2020-03-24 09:51:11,355 [root] INFO: Disabling sleep skipping.
2020-03-24 09:51:11,371 [root] DEBUG: (1964) WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x230000
2020-03-24 09:51:11,371 [root] DEBUG: (1964) CAPE initialised: 32-bit Ursnif package. Loaded at 0x74880000
2020-03-24 09:51:11,371 [root] INFO: Monitor successfully loaded in process with pid 1964.
2020-03-24 09:51:11,871 [root] DEBUG: (1964) lstrcpynA hook: Ursnif payload marker: .bss.
2020-03-24 09:51:11,871 [root] DEBUG: (1964) GetReturnAddress: operate_on_backtrace call with Ebp 0x18fef4.
2020-03-24 09:51:11,871 [root] DEBUG: (1964) GetHookCallerBase: thread 420 (handle 0xc8), return address 0x004045C8, allocation base 0x00400000.
2020-03-24 09:51:11,887 [root] DEBUG: (1964) FileOffsetToVA: Debug - VA = 0x00421358.
2020-03-24 09:51:11,887 [root] DEBUG: (1964) SetInitialBreakpoint: FileOffsetToVA gives VA 0x00421358 for bp0.
2020-03-24 09:51:11,887 [root] DEBUG: (1964) SetInitialBreakpoint: Not within Ursnif payload - bailing.
2020-03-24 09:51:50,543 [root] DEBUG: (1964) NtCreateThreadEx: Initialising breakpoints for thread 2968.
2020-03-24 09:51:50,792 [root] INFO: Announced 32-bit process name: cmd.exe pid: 3060
2020-03-24 09:51:50,792 [lib.api.process] INFO: Option 'bp1' with value '169314' sent to monitor
2020-03-24 09:51:50,792 [lib.api.process] INFO: Option 'bp0' with value '123224' sent to monitor
2020-03-24 09:51:50,792 [lib.api.process] INFO: Option 'exclude-apis' with value 'NtCreateFile:NtWriteFile:NtDeleteFile:NtQueryInformationFile' sent to monitor
2020-03-24 09:51:50,792 [lib.api.process] INFO: 32-bit DLL to inject is C:\cnqkyfdy\dll\InonXiUq.dll, loader C:\cnqkyfdy\bin\GMqduZp.exe
2020-03-24 09:51:50,809 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\QbkUTXyNHp.
2020-03-24 09:51:50,809 [root] DEBUG: Loader: Injecting process 3060 (thread 1644) with C:\cnqkyfdy\dll\InonXiUq.dll.
2020-03-24 09:51:50,809 [root] DEBUG: Process image base: 0x49F80000
2020-03-24 09:51:50,809 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\cnqkyfdy\dll\InonXiUq.dll.
2020-03-24 09:51:50,809 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 09:51:50,809 [root] DEBUG: Successfully injected DLL C:\cnqkyfdy\dll\InonXiUq.dll.
2020-03-24 09:51:50,809 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3060
2020-03-24 09:51:50,809 [root] DEBUG: (0) CAPE debug - unrecognised key terminate-processes.
2020-03-24 09:51:50,809 [root] DEBUG: (0) bp1 set to 0x29562
2020-03-24 09:51:50,809 [root] DEBUG: (0) bp0 set to 0x1e158
2020-03-24 09:51:50,809 [root] INFO: Disabling sleep skipping.
2020-03-24 09:51:50,823 [root] DEBUG: (3060) WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2020-03-24 09:51:50,823 [root] DEBUG: (3060) WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x170000
2020-03-24 09:51:50,823 [root] DEBUG: (3060) CAPE initialised: 32-bit Ursnif package. Loaded at 0x74880000
2020-03-24 09:51:50,823 [root] INFO: Added new process to list with pid: 3060
2020-03-24 09:51:50,823 [root] INFO: Monitor successfully loaded in process with pid 3060.
2020-03-24 09:51:50,839 [root] INFO: Notified of termination of process with pid 1964.
2020-03-24 09:51:50,839 [root] INFO: Announced 32-bit process name: cmd.exe pid: 2792
2020-03-24 09:51:50,855 [lib.api.process] INFO: Option 'bp1' with value '169314' sent to monitor
2020-03-24 09:51:50,855 [lib.api.process] INFO: Option 'bp0' with value '123224' sent to monitor
2020-03-24 09:51:50,855 [lib.api.process] INFO: Option 'exclude-apis' with value 'NtCreateFile:NtWriteFile:NtDeleteFile:NtQueryInformationFile' sent to monitor
2020-03-24 09:51:50,855 [lib.api.process] INFO: 32-bit DLL to inject is C:\cnqkyfdy\dll\InonXiUq.dll, loader C:\cnqkyfdy\bin\GMqduZp.exe
2020-03-24 09:51:50,887 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\QbkUTXyNHp.
2020-03-24 09:51:50,901 [root] DEBUG: Loader: Injecting process 2792 (thread 2808) with C:\cnqkyfdy\dll\InonXiUq.dll.
2020-03-24 09:51:50,934 [root] DEBUG: Process image base: 0x49F80000
2020-03-24 09:51:50,934 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\cnqkyfdy\dll\InonXiUq.dll.
2020-03-24 09:51:50,934 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 09:51:50,934 [root] DEBUG: Successfully injected DLL C:\cnqkyfdy\dll\InonXiUq.dll.
2020-03-24 09:51:50,934 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2792
2020-03-24 09:51:50,934 [root] DEBUG: (0) CAPE debug - unrecognised key terminate-processes.
2020-03-24 09:51:50,948 [root] DEBUG: (0) bp1 set to 0x29562
2020-03-24 09:51:50,948 [root] DEBUG: (0) bp0 set to 0x1e158
2020-03-24 09:51:50,964 [root] INFO: Disabling sleep skipping.
2020-03-24 09:51:50,964 [root] DEBUG: (2792) WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2020-03-24 09:51:50,964 [root] DEBUG: (2792) WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x270000
2020-03-24 09:51:50,980 [root] DEBUG: (2792) CAPE initialised: 32-bit Ursnif package. Loaded at 0x74880000
2020-03-24 09:51:50,996 [root] INFO: Added new process to list with pid: 2792
2020-03-24 09:51:50,996 [root] INFO: Monitor successfully loaded in process with pid 2792.
2020-03-24 09:51:50,996 [root] INFO: Announced 32-bit process name: corrawex.exe pid: 836
2020-03-24 09:51:51,012 [lib.api.process] INFO: Option 'bp1' with value '169314' sent to monitor
2020-03-24 09:51:51,012 [lib.api.process] INFO: Option 'bp0' with value '123224' sent to monitor
2020-03-24 09:51:51,012 [lib.api.process] INFO: Option 'exclude-apis' with value 'NtCreateFile:NtWriteFile:NtDeleteFile:NtQueryInformationFile' sent to monitor
2020-03-24 09:51:51,012 [lib.api.process] INFO: 32-bit DLL to inject is C:\cnqkyfdy\dll\InonXiUq.dll, loader C:\cnqkyfdy\bin\GMqduZp.exe
2020-03-24 09:51:51,026 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\QbkUTXyNHp.
2020-03-24 09:51:51,042 [root] DEBUG: Loader: Injecting process 836 (thread 1836) with C:\cnqkyfdy\dll\InonXiUq.dll.
2020-03-24 09:51:51,058 [root] DEBUG: Process image base: 0x00400000
2020-03-24 09:51:51,058 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\cnqkyfdy\dll\InonXiUq.dll.
2020-03-24 09:51:51,073 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 09:51:51,089 [root] DEBUG: Successfully injected DLL C:\cnqkyfdy\dll\InonXiUq.dll.
2020-03-24 09:51:51,089 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 836
2020-03-24 09:51:51,105 [root] DEBUG: (0) CAPE debug - unrecognised key terminate-processes.
2020-03-24 09:51:51,121 [root] DEBUG: (0) bp1 set to 0x29562
2020-03-24 09:51:51,135 [root] DEBUG: (0) bp0 set to 0x1e158
2020-03-24 09:51:51,183 [root] INFO: Disabling sleep skipping.
2020-03-24 09:51:51,213 [root] DEBUG: (836) WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2020-03-24 09:51:51,230 [root] DEBUG: (836) WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x270000
2020-03-24 09:51:51,230 [root] DEBUG: (836) CAPE initialised: 32-bit Ursnif package. Loaded at 0x74880000
2020-03-24 09:51:51,230 [root] INFO: Added new process to list with pid: 836
2020-03-24 09:51:51,230 [root] INFO: Monitor successfully loaded in process with pid 836.
2020-03-24 09:51:51,510 [root] DEBUG: (836) lstrcpynA hook: Ursnif payload marker: .bss.
2020-03-24 09:51:51,510 [root] DEBUG: (836) GetReturnAddress: operate_on_backtrace call with Ebp 0x18fef4.
2020-03-24 09:51:51,510 [root] DEBUG: (836) GetHookCallerBase: thread 1836 (handle 0xc8), return address 0x004045C8, allocation base 0x00400000.
2020-03-24 09:51:51,510 [root] DEBUG: (836) FileOffsetToVA: Debug - VA = 0x00421358.
2020-03-24 09:51:51,510 [root] DEBUG: (836) SetInitialBreakpoint: FileOffsetToVA gives VA 0x00421358 for bp0.
2020-03-24 09:51:51,526 [root] DEBUG: (836) SetInitialBreakpoint: Not within Ursnif payload - bailing.
2020-03-24 09:52:02,509 [root] DEBUG: (836) NtCreateThreadEx: Initialising breakpoints for thread 2656.
2020-03-24 09:52:02,571 [root] INFO: Announced 64-bit process name: svchost.exe pid: 2636
2020-03-24 09:52:02,571 [lib.api.process] INFO: Option 'bp1' with value '169314' sent to monitor
2020-03-24 09:52:02,571 [lib.api.process] INFO: Option 'bp0' with value '123224' sent to monitor
2020-03-24 09:52:02,571 [lib.api.process] INFO: Option 'exclude-apis' with value 'NtCreateFile:NtWriteFile:NtDeleteFile:NtQueryInformationFile' sent to monitor
2020-03-24 09:52:02,571 [lib.api.process] INFO: 64-bit DLL to inject is C:\cnqkyfdy\dll\izRoTXu.dll, loader C:\cnqkyfdy\bin\IIeEtzQJ.exe
2020-03-24 09:52:02,586 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\QbkUTXyNHp.
2020-03-24 09:52:02,586 [root] DEBUG: Loader: Injecting process 2636 (thread 2584) with C:\cnqkyfdy\dll\izRoTXu.dll.
2020-03-24 09:52:02,586 [root] DEBUG: Process image base: 0x00000000FFA10000
2020-03-24 09:52:02,601 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\cnqkyfdy\dll\izRoTXu.dll.
2020-03-24 09:52:02,618 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 09:52:02,618 [root] DEBUG: Successfully injected DLL C:\cnqkyfdy\dll\izRoTXu.dll.
2020-03-24 09:52:02,618 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2636
2020-03-24 09:52:02,664 [root] DEBUG: (0) CAPE debug - unrecognised key terminate-processes.
2020-03-24 09:52:02,680 [root] DEBUG: (0) bp1 set to 0x29562
2020-03-24 09:52:02,680 [root] DEBUG: (0) bp0 set to 0x1e158
2020-03-24 09:52:02,680 [root] INFO: Disabling sleep skipping.
2020-03-24 09:52:02,711 [root] DEBUG: (2636) CAPE initialised: 64-bit Ursnif package. Loaded at 0x0000000074400000
2020-03-24 09:52:02,711 [root] INFO: Added new process to list with pid: 2636
2020-03-24 09:52:02,711 [root] INFO: Monitor successfully loaded in process with pid 2636.
2020-03-24 09:52:02,821 [root] INFO: Notified of termination of process with pid 836.
2020-03-24 09:52:02,835 [root] INFO: Notified of termination of process with pid 2792.
2020-03-24 09:52:02,835 [root] INFO: Notified of termination of process with pid 3060.
2020-03-24 09:52:02,851 [root] DEBUG: (2636) lstrcpynA hook: Ursnif payload marker: .bss.
2020-03-24 09:52:02,851 [root] DEBUG: (2636) GetReturnAddress: operate_on_backtrace call with Rip 0x000007FEBD3D0080.
2020-03-24 09:52:02,851 [root] DEBUG: (2636) GetHookCallerBase: thread 2584 (handle 0xb4), return address 0x00000000035014ED, allocation base 0x0000000003500000.
2020-03-24 09:52:02,851 [root] DEBUG: (2636) FileOffsetToVA: Debug - VA = 0x000000000351ED58.
2020-03-24 09:52:02,851 [root] DEBUG: (2636) SetInitialBreakpoint: FileOffsetToVA gives VA 0x000000000351ED58 for bp0.
2020-03-24 09:52:02,851 [root] DEBUG: (2636) SetInitialBreakpoint: Not within Ursnif payload - bailing.
2020-03-24 09:52:02,851 [root] DEBUG: (2636) NtCreateThreadEx: Initialising breakpoints for thread 1132.
2020-03-24 09:52:31,743 [root] INFO: Announced 64-bit process name: explorer.exe pid: 1632
2020-03-24 09:52:31,743 [lib.api.process] INFO: Option 'bp1' with value '169314' sent to monitor
2020-03-24 09:52:31,743 [lib.api.process] INFO: Option 'bp0' with value '123224' sent to monitor
2020-03-24 09:52:31,743 [lib.api.process] INFO: Option 'exclude-apis' with value 'NtCreateFile:NtWriteFile:NtDeleteFile:NtQueryInformationFile' sent to monitor
2020-03-24 09:52:31,743 [lib.api.process] INFO: 64-bit DLL to inject is C:\cnqkyfdy\dll\izRoTXu.dll, loader C:\cnqkyfdy\bin\IIeEtzQJ.exe
2020-03-24 09:52:31,743 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\QbkUTXyNHp.
2020-03-24 09:52:31,743 [root] DEBUG: Loader: Injecting process 1632 (thread 2776) with C:\cnqkyfdy\dll\izRoTXu.dll.
2020-03-24 09:52:31,743 [root] DEBUG: Process image base: 0x00000000FF900000
2020-03-24 09:52:31,759 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2020-03-24 09:52:31,759 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-03-24 09:52:31,759 [root] DEBUG: (0) CAPE debug - unrecognised key terminate-processes.
2020-03-24 09:52:31,759 [root] DEBUG: (0) bp1 set to 0x29562
2020-03-24 09:52:31,759 [root] DEBUG: (0) bp0 set to 0x1e158
2020-03-24 09:52:31,759 [root] INFO: Disabling sleep skipping.
2020-03-24 09:52:31,821 [root] DEBUG: (1632) CAPE initialised: 64-bit Ursnif package. Loaded at 0x0000000074400000
2020-03-24 09:52:31,821 [root] INFO: Added new process to list with pid: 1632
2020-03-24 09:52:31,821 [root] INFO: Monitor successfully loaded in process with pid 1632.
2020-03-24 09:52:31,836 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-03-24 09:52:31,836 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-03-24 09:52:31,836 [root] DEBUG: Successfully injected DLL C:\cnqkyfdy\dll\izRoTXu.dll.
2020-03-24 09:52:31,851 [root] DEBUG: (1632) lstrcpynA hook: Ursnif payload marker: .bss.
2020-03-24 09:52:31,851 [root] DEBUG: (1632) GetReturnAddress: operate_on_backtrace call with Rip 0x000007FEBD3D0080.
2020-03-24 09:52:31,851 [root] DEBUG: (1632) GetHookCallerBase: thread 2776 (handle 0x0), return address 0x00000000069C14ED, allocation base 0x00000000069C0000.
2020-03-24 09:52:31,851 [root] DEBUG: (2636) CreateThread: Initialising breakpoints for thread 1568.
2020-03-24 09:52:31,851 [root] DEBUG: (1632) FileOffsetToVA: Debug - VA = 0x00000000069DED58.
2020-03-24 09:52:31,868 [root] DEBUG: (2636) CreateThread: Initialising breakpoints for thread 2864.
2020-03-24 09:52:31,868 [root] DEBUG: (1632) SetInitialBreakpoint: FileOffsetToVA gives VA 0x00000000069DED58 for bp0.
2020-03-24 09:52:31,868 [root] DEBUG: (1632) SetInitialBreakpoint: Not within Ursnif payload - bailing.
2020-03-24 09:52:31,898 [root] INFO: Notified of termination of process with pid 2636.
2020-03-24 09:52:32,023 [root] DEBUG: (1632) CreateThread: Initialising breakpoints for thread 3032.
2020-03-24 09:53:00,727 [root] DEBUG: (1632) CreateThread: Initialising breakpoints for thread 2968.
2020-03-24 09:54:31,816 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2020-03-24 09:54:31,816 [root] INFO: Created shutdown mutex.
2020-03-24 09:54:32,831 [lib.api.process] INFO: Terminate event set for process 1632

MalScore

10.0

Malicious

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2020-03-24 09:51:00 2020-03-24 09:55:47

File Details

File Name ddaa6aba4618362ad65ad4d6eb6d1ff7cc909f9dcb98b0aa2c6627a2a7d5b514
File Size 322048 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 0116e1cc3ef60e3cb910654c95e1d1c6
SHA1 a9126493e87f3f761efe8ae9aed4cc4e58ed819e
SHA256 ddaa6aba4618362ad65ad4d6eb6d1ff7cc909f9dcb98b0aa2c6627a2a7d5b514
SHA512 40f2880784f086494f19109aa0ca196fe4d0b5764ee17da8d2227582693ea9097b9e977faa1e62288b6bc0f56f813672150915b018b14a21b7014df3a9aaee6a
CRC32 588CA946
Ssdeep 6144:BoxAQURWtJ8ru6Cf6kkRrrsNSc6bkuk+QyR3/oOYW39sE6cXsQFqvCE:KTH8ru5kEu9tx/kWtvfFYCE
TrID
  • 38.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 26.3% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 11.8% (.EXE) OS/2 Executable (generic) (2029/13)
  • 11.6% (.EXE) Generic Win/DOS Executable (2002/3)
  • 11.6% (.EXE) DOS Executable Generic (2000/1)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Behavioural detection: Executable code extraction
SetUnhandledExceptionFilter detected (possible anti-debug)
Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution
command: cmd /C ""C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\GZFMSI~1.EXE""
Possible date expiration check, exits too soon after checking local time
process: GZFMSI9xpp5Y7lH.exe, PID 1964
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/WriteProcessMemory
DynamicLoader: kernel32.dll/HeapCreate
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: ntdll.dll/RtlNtStatusToDosError
DynamicLoader: ntdll.dll/NtUnmapViewOfSection
DynamicLoader: ntdll.dll/NtMapViewOfSection
DynamicLoader: ntdll.dll/memcpy
DynamicLoader: ntdll.dll/memset
DynamicLoader: ntdll.dll/ZwClose
DynamicLoader: ntdll.dll/NtCreateSection
DynamicLoader: ntdll.dll/mbstowcs
DynamicLoader: ntdll.dll/ZwOpenProcessToken
DynamicLoader: ntdll.dll/ZwOpenProcess
DynamicLoader: ntdll.dll/ZwQueryInformationToken
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/RtlFreeUnicodeString
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/RtlUpcaseUnicodeString
DynamicLoader: ntdll.dll/RtlUnwind
DynamicLoader: ntdll.dll/NtQueryVirtualMemory
DynamicLoader: SHLWAPI.dll/PathFindExtensionW
DynamicLoader: SHLWAPI.dll/PathFindFileNameW
DynamicLoader: SHLWAPI.dll/PathFindExtensionA
DynamicLoader: SHLWAPI.dll/StrRChrA
DynamicLoader: SHLWAPI.dll/StrChrA
DynamicLoader: SHLWAPI.dll/StrStrIA
DynamicLoader: SHLWAPI.dll/StrTrimW
DynamicLoader: SHLWAPI.dll/StrChrW
DynamicLoader: SHLWAPI.dll/PathFindFileNameA
DynamicLoader: SHLWAPI.dll/PathCombineW
DynamicLoader: SETUPAPI.dll/SetupDiDestroyDeviceInfoList
DynamicLoader: SETUPAPI.dll/SetupDiEnumDeviceInfo
DynamicLoader: SETUPAPI.dll/SetupDiGetDeviceRegistryPropertyA
DynamicLoader: SETUPAPI.dll/SetupDiGetClassDevsA
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/CreateProcessA
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/ResetEvent
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/lstrcmpiW
DynamicLoader: kernel32.dll/lstrcatW
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/CreateWaitableTimerA
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/SetWaitableTimer
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/HeapCreate
DynamicLoader: kernel32.dll/HeapDestroy
DynamicLoader: kernel32.dll/GetCommandLineW
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/CreateEventA
DynamicLoader: kernel32.dll/GetVersion
DynamicLoader: kernel32.dll/lstrcmpA
DynamicLoader: kernel32.dll/GetTempPathA
DynamicLoader: kernel32.dll/GetTempFileNameA
DynamicLoader: kernel32.dll/CreateDirectoryA
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/lstrcpynA
DynamicLoader: kernel32.dll/GetFileTime
DynamicLoader: kernel32.dll/FindNextFileA
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/FindFirstFileA
DynamicLoader: kernel32.dll/CompareFileTime
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/lstrcmpiA
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/LoadLibraryW
DynamicLoader: kernel32.dll/TerminateThread
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualProtectEx
DynamicLoader: kernel32.dll/SuspendThread
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/GetLongPathNameW
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsA
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/lstrcpyA
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: kernel32.dll/SetEndOfFile
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/FlushFileBuffers
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: USER32.dll/SendMessageW
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/SetClassLongW
DynamicLoader: USER32.dll/SystemParametersInfoW
DynamicLoader: USER32.dll/GetAncestor
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: USER32.dll/RegisterClassExW
DynamicLoader: USER32.dll/GetForegroundWindow
DynamicLoader: USER32.dll/TranslateMessage
DynamicLoader: USER32.dll/GetMessageW
DynamicLoader: USER32.dll/keybd_event
DynamicLoader: USER32.dll/DestroyWindow
DynamicLoader: USER32.dll/wsprintfW
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: USER32.dll/DispatchMessageW
DynamicLoader: USER32.dll/GetCursorInfo
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/RegDeleteValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExA
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetSidSubAuthorityCount
DynamicLoader: ADVAPI32.dll/GetSidSubAuthority
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegOpenKeyA
DynamicLoader: ADVAPI32.dll/RegCreateKeyA
DynamicLoader: ADVAPI32.dll/ConvertStringSecurityDescriptorToSecurityDescriptorA
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyExA
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegSetValueExA
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: SHELL32.dll/
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: SHELL32.dll/ShellExecuteExW
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: WINTRUST.dll/WinVerifyTrust
DynamicLoader: USER32.dll/FindWindowA
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: kernel32.dll/Wow64EnableWow64FsRedirection
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: ADVAPI32.dll/SaferIdentifyLevel
DynamicLoader: ADVAPI32.dll/SaferComputeTokenFromLevel
DynamicLoader: ADVAPI32.dll/SaferCloseLevel
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/WriteProcessMemory
DynamicLoader: kernel32.dll/HeapCreate
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: ntdll.dll/RtlNtStatusToDosError
DynamicLoader: ntdll.dll/NtUnmapViewOfSection
DynamicLoader: ntdll.dll/NtMapViewOfSection
DynamicLoader: ntdll.dll/memcpy
DynamicLoader: ntdll.dll/memset
DynamicLoader: ntdll.dll/ZwClose
DynamicLoader: ntdll.dll/NtCreateSection
DynamicLoader: ntdll.dll/mbstowcs
DynamicLoader: ntdll.dll/ZwOpenProcessToken
DynamicLoader: ntdll.dll/ZwOpenProcess
DynamicLoader: ntdll.dll/ZwQueryInformationToken
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/RtlFreeUnicodeString
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/RtlUpcaseUnicodeString
DynamicLoader: ntdll.dll/RtlUnwind
DynamicLoader: ntdll.dll/NtQueryVirtualMemory
DynamicLoader: SHLWAPI.dll/PathFindExtensionW
DynamicLoader: SHLWAPI.dll/PathFindFileNameW
DynamicLoader: SHLWAPI.dll/PathFindExtensionA
DynamicLoader: SHLWAPI.dll/StrRChrA
DynamicLoader: SHLWAPI.dll/StrChrA
DynamicLoader: SHLWAPI.dll/StrStrIA
DynamicLoader: SHLWAPI.dll/StrTrimW
DynamicLoader: SHLWAPI.dll/StrChrW
DynamicLoader: SHLWAPI.dll/PathFindFileNameA
DynamicLoader: SHLWAPI.dll/PathCombineW
DynamicLoader: SETUPAPI.dll/SetupDiDestroyDeviceInfoList
DynamicLoader: SETUPAPI.dll/SetupDiEnumDeviceInfo
DynamicLoader: SETUPAPI.dll/SetupDiGetDeviceRegistryPropertyA
DynamicLoader: SETUPAPI.dll/SetupDiGetClassDevsA
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/CreateProcessA
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/ResetEvent
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/lstrcmpiW
DynamicLoader: kernel32.dll/lstrcatW
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/CreateWaitableTimerA
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/SetWaitableTimer
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/HeapCreate
DynamicLoader: kernel32.dll/HeapDestroy
DynamicLoader: kernel32.dll/GetCommandLineW
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/CreateEventA
DynamicLoader: kernel32.dll/GetVersion
DynamicLoader: kernel32.dll/lstrcmpA
DynamicLoader: kernel32.dll/GetTempPathA
DynamicLoader: kernel32.dll/GetTempFileNameA
DynamicLoader: kernel32.dll/CreateDirectoryA
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/lstrcpynA
DynamicLoader: kernel32.dll/GetFileTime
DynamicLoader: kernel32.dll/FindNextFileA
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/FindFirstFileA
DynamicLoader: kernel32.dll/CompareFileTime
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/lstrcmpiA
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/LoadLibraryW
DynamicLoader: kernel32.dll/TerminateThread
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualProtectEx
DynamicLoader: kernel32.dll/SuspendThread
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/GetLongPathNameW
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsA
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/lstrcpyA
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: kernel32.dll/SetEndOfFile
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/FlushFileBuffers
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: USER32.dll/SendMessageW
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/SetClassLongW
DynamicLoader: USER32.dll/SystemParametersInfoW
DynamicLoader: USER32.dll/GetAncestor
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: USER32.dll/RegisterClassExW
DynamicLoader: USER32.dll/GetForegroundWindow
DynamicLoader: USER32.dll/TranslateMessage
DynamicLoader: USER32.dll/GetMessageW
DynamicLoader: USER32.dll/keybd_event
DynamicLoader: USER32.dll/DestroyWindow
DynamicLoader: USER32.dll/wsprintfW
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: USER32.dll/DispatchMessageW
DynamicLoader: USER32.dll/GetCursorInfo
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/RegDeleteValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExA
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetSidSubAuthorityCount
DynamicLoader: ADVAPI32.dll/GetSidSubAuthority
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegOpenKeyA
DynamicLoader: ADVAPI32.dll/RegCreateKeyA
DynamicLoader: ADVAPI32.dll/ConvertStringSecurityDescriptorToSecurityDescriptorA
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyExA
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegSetValueExA
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: SHELL32.dll/
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: SHELL32.dll/ShellExecuteExW
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: WINTRUST.dll/WinVerifyTrust
DynamicLoader: USER32.dll/FindWindowA
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: kernel32.dll/Wow64EnableWow64FsRedirection
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64ReadVirtualMemory64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ntdll.dll/ZwQueryInformationToken
DynamicLoader: ntdll.dll/ZwOpenProcess
DynamicLoader: ntdll.dll/ZwClose
DynamicLoader: ntdll.dll/ZwOpenProcessToken
DynamicLoader: ntdll.dll/strcpy
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/NtResumeProcess
DynamicLoader: ntdll.dll/RtlNtStatusToDosError
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtSuspendProcess
DynamicLoader: ntdll.dll/memcpy
DynamicLoader: ntdll.dll/NtMapViewOfSection
DynamicLoader: ntdll.dll/_snprintf
DynamicLoader: ntdll.dll/_wcsupr
DynamicLoader: ntdll.dll/_strupr
DynamicLoader: ntdll.dll/memmove
DynamicLoader: ntdll.dll/wcscpy
DynamicLoader: ntdll.dll/memset
DynamicLoader: ntdll.dll/ZwQueryKey
DynamicLoader: ntdll.dll/RtlFreeUnicodeString
DynamicLoader: ntdll.dll/RtlUpcaseUnicodeString
DynamicLoader: ntdll.dll/wcstombs
DynamicLoader: ntdll.dll/RtlImageNtHeader
DynamicLoader: ntdll.dll/RtlAdjustPrivilege
DynamicLoader: ntdll.dll/mbstowcs
DynamicLoader: ntdll.dll/NtUnmapViewOfSection
DynamicLoader: ntdll.dll/NtCreateSection
DynamicLoader: ntdll.dll/sprintf
DynamicLoader: ntdll.dll/wcscat
DynamicLoader: ntdll.dll/__C_specific_handler
DynamicLoader: ntdll.dll/__chkstk
DynamicLoader: kernel32.dll/lstrcpynA
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/TerminateThread
DynamicLoader: kernel32.dll/LoadLibraryW
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/GetComputerNameW
DynamicLoader: kernel32.dll/VirtualProtectEx
DynamicLoader: kernel32.dll/FileTimeToLocalFileTime
DynamicLoader: kernel32.dll/QueueUserWorkItem
DynamicLoader: kernel32.dll/SystemTimeToFileTime
DynamicLoader: kernel32.dll/GetFileTime
DynamicLoader: kernel32.dll/FindNextFileA
DynamicLoader: kernel32.dll/FindFirstFileA
DynamicLoader: kernel32.dll/CompareFileTime
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsA
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/GetLocalTime
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/CreateDirectoryA
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/RemoveDirectoryA
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/DeleteFileA
DynamicLoader: kernel32.dll/lstrcpyA
DynamicLoader: kernel32.dll/HeapReAlloc
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/HeapDestroy
DynamicLoader: kernel32.dll/HeapCreate
DynamicLoader: kernel32.dll/SetWaitableTimer
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/GetCurrentThread
DynamicLoader: kernel32.dll/GetSystemTimeAsFileTime
DynamicLoader: kernel32.dll/GetWindowsDirectoryA
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: kernel32.dll/CreateEventA
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcmpiW
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/lstrcatW
DynamicLoader: kernel32.dll/GetCurrentThreadId
DynamicLoader: kernel32.dll/DuplicateHandle
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/GetTempPathA
DynamicLoader: kernel32.dll/SuspendThread
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/SwitchToThread
DynamicLoader: kernel32.dll/lstrcmpA
DynamicLoader: kernel32.dll/MapViewOfFile
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/LeaveCriticalSection
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/lstrcmpiA
DynamicLoader: kernel32.dll/EnterCriticalSection
DynamicLoader: kernel32.dll/ResetEvent
DynamicLoader: kernel32.dll/OpenWaitableTimerA
DynamicLoader: kernel32.dll/OpenMutexA
DynamicLoader: kernel32.dll/WaitForMultipleObjects
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/CreateWaitableTimerA
DynamicLoader: kernel32.dll/InitializeCriticalSection
DynamicLoader: kernel32.dll/UnregisterWait
DynamicLoader: kernel32.dll/TlsGetValue
DynamicLoader: kernel32.dll/LoadLibraryExW
DynamicLoader: kernel32.dll/TlsSetValue
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/RegisterWaitForSingleObject
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/TlsAlloc
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetLogicalDriveStringsW
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/CreateProcessA
DynamicLoader: kernel32.dll/CreateFileMappingA
DynamicLoader: kernel32.dll/OpenFileMappingA
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: kernel32.dll/GlobalLock
DynamicLoader: kernel32.dll/GlobalUnlock
DynamicLoader: kernel32.dll/Thread32First
DynamicLoader: kernel32.dll/Thread32Next
DynamicLoader: kernel32.dll/QueueUserAPC
DynamicLoader: kernel32.dll/OpenThread
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/CallNamedPipeA
DynamicLoader: kernel32.dll/WaitNamedPipeA
DynamicLoader: kernel32.dll/ConnectNamedPipe
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetOverlappedResult
DynamicLoader: kernel32.dll/DisconnectNamedPipe
DynamicLoader: kernel32.dll/FlushFileBuffers
DynamicLoader: kernel32.dll/CreateNamedPipeA
DynamicLoader: kernel32.dll/CancelIo
DynamicLoader: kernel32.dll/GetSystemTime
DynamicLoader: kernel32.dll/RemoveVectoredExceptionHandler
DynamicLoader: kernel32.dll/SleepEx
DynamicLoader: kernel32.dll/AddVectoredExceptionHandler
DynamicLoader: kernel32.dll/OpenEventA
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/RaiseException
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/FileTimeToSystemTime
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetVersion
DynamicLoader: kernel32.dll/DeleteCriticalSection
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/RemoveDirectoryW
DynamicLoader: kernel32.dll/GetTempFileNameA
DynamicLoader: kernel32.dll/SetEndOfFile
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/FindNextFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/SetFilePointerEx
DynamicLoader: kernel32.dll/GetFileAttributesW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: ADVAPI32.dll/ConvertStringSecurityDescriptorToSecurityDescriptorA
DynamicLoader: SHLWAPI.dll/StrRChrA
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: ADVAPI32.dll/GetUserNameA
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: ADVAPI32.dll/RegOpenKeyA
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: SHLWAPI.dll/StrToIntExA
DynamicLoader: SHLWAPI.dll/StrChrA
DynamicLoader: SHLWAPI.dll/StrTrimA
DynamicLoader: WINHTTP.dll/WinHttpOpen
DynamicLoader: WINHTTP.dll/WinHttpConnect
DynamicLoader: WINHTTP.dll/WinHttpOpenRequest
DynamicLoader: WINHTTP.dll/WinHttpQueryOption
DynamicLoader: WINHTTP.dll/WinHttpSetOption
DynamicLoader: WINHTTP.dll/WinHttpSendRequest
DynamicLoader: WS2_32.dll/GetAddrInfoW
DynamicLoader: WINHTTP.dll/WinHttpCloseHandle
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: USER32.dll/GetShellWindow
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: ntdll.dll/RtlExitUserThread
DynamicLoader: kernel32.dll/CreateRemoteThread
DynamicLoader: ADVAPI32.dll/RegCreateKeyA
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: ADVAPI32.dll/RegSetValueExA
DynamicLoader: SHLWAPI.dll/PathFindFileNameA
DynamicLoader: ntdll.dll/ZwQueryInformationToken
DynamicLoader: ntdll.dll/ZwOpenProcess
DynamicLoader: ntdll.dll/ZwClose
DynamicLoader: ntdll.dll/ZwOpenProcessToken
DynamicLoader: ntdll.dll/strcpy
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/NtResumeProcess
DynamicLoader: ntdll.dll/RtlNtStatusToDosError
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtSuspendProcess
DynamicLoader: ntdll.dll/memcpy
DynamicLoader: ntdll.dll/NtMapViewOfSection
DynamicLoader: ntdll.dll/_snprintf
DynamicLoader: ntdll.dll/_wcsupr
DynamicLoader: ntdll.dll/_strupr
DynamicLoader: ntdll.dll/memmove
DynamicLoader: ntdll.dll/wcscpy
DynamicLoader: ntdll.dll/memset
DynamicLoader: ntdll.dll/ZwQueryKey
DynamicLoader: ntdll.dll/RtlFreeUnicodeString
DynamicLoader: ntdll.dll/RtlUpcaseUnicodeString
DynamicLoader: ntdll.dll/wcstombs
DynamicLoader: ntdll.dll/RtlImageNtHeader
DynamicLoader: ntdll.dll/RtlAdjustPrivilege
DynamicLoader: ntdll.dll/mbstowcs
DynamicLoader: ntdll.dll/NtUnmapViewOfSection
DynamicLoader: ntdll.dll/NtCreateSection
DynamicLoader: ntdll.dll/sprintf
DynamicLoader: ntdll.dll/wcscat
DynamicLoader: ntdll.dll/__C_specific_handler
DynamicLoader: ntdll.dll/__chkstk
DynamicLoader: kernel32.dll/lstrcpynA
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/TerminateThread
DynamicLoader: kernel32.dll/LoadLibraryW
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/GetComputerNameW
DynamicLoader: kernel32.dll/VirtualProtectEx
DynamicLoader: kernel32.dll/FileTimeToLocalFileTime
DynamicLoader: kernel32.dll/QueueUserWorkItem
DynamicLoader: kernel32.dll/SystemTimeToFileTime
DynamicLoader: kernel32.dll/GetFileTime
DynamicLoader: kernel32.dll/FindNextFileA
DynamicLoader: kernel32.dll/FindFirstFileA
DynamicLoader: kernel32.dll/CompareFileTime
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsA
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/GetLocalTime
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/CreateDirectoryA
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/RemoveDirectoryA
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/DeleteFileA
DynamicLoader: kernel32.dll/lstrcpyA
DynamicLoader: kernel32.dll/HeapReAlloc
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/HeapDestroy
DynamicLoader: kernel32.dll/HeapCreate
DynamicLoader: kernel32.dll/SetWaitableTimer
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/GetCurrentThread
DynamicLoader: kernel32.dll/GetSystemTimeAsFileTime
DynamicLoader: kernel32.dll/GetWindowsDirectoryA
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: kernel32.dll/CreateEventA
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcmpiW
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/lstrcatW
DynamicLoader: kernel32.dll/GetCurrentThreadId
DynamicLoader: kernel32.dll/DuplicateHandle
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/GetTempPathA
DynamicLoader: kernel32.dll/SuspendThread
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/SwitchToThread
DynamicLoader: kernel32.dll/lstrcmpA
DynamicLoader: kernel32.dll/MapViewOfFile
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/LeaveCriticalSection
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/lstrcmpiA
DynamicLoader: kernel32.dll/EnterCriticalSection
DynamicLoader: kernel32.dll/ResetEvent
DynamicLoader: kernel32.dll/OpenWaitableTimerA
DynamicLoader: kernel32.dll/OpenMutexA
DynamicLoader: kernel32.dll/WaitForMultipleObjects
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/CreateWaitableTimerA
DynamicLoader: kernel32.dll/InitializeCriticalSection
DynamicLoader: kernel32.dll/UnregisterWait
DynamicLoader: kernel32.dll/TlsGetValue
DynamicLoader: kernel32.dll/LoadLibraryExW
DynamicLoader: kernel32.dll/TlsSetValue
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/RegisterWaitForSingleObject
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/TlsAlloc
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetLogicalDriveStringsW
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/CreateProcessA
DynamicLoader: kernel32.dll/CreateFileMappingA
DynamicLoader: kernel32.dll/OpenFileMappingA
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: kernel32.dll/GlobalLock
DynamicLoader: kernel32.dll/GlobalUnlock
DynamicLoader: kernel32.dll/Thread32First
DynamicLoader: kernel32.dll/Thread32Next
DynamicLoader: kernel32.dll/QueueUserAPC
DynamicLoader: kernel32.dll/OpenThread
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/CallNamedPipeA
DynamicLoader: kernel32.dll/WaitNamedPipeA
DynamicLoader: kernel32.dll/ConnectNamedPipe
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetOverlappedResult
DynamicLoader: kernel32.dll/DisconnectNamedPipe
DynamicLoader: kernel32.dll/FlushFileBuffers
DynamicLoader: kernel32.dll/CreateNamedPipeA
DynamicLoader: kernel32.dll/CancelIo
DynamicLoader: kernel32.dll/GetSystemTime
DynamicLoader: kernel32.dll/RemoveVectoredExceptionHandler
DynamicLoader: kernel32.dll/SleepEx
DynamicLoader: kernel32.dll/AddVectoredExceptionHandler
DynamicLoader: kernel32.dll/OpenEventA
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/RaiseException
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/FileTimeToSystemTime
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetVersion
DynamicLoader: kernel32.dll/DeleteCriticalSection
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/RemoveDirectoryW
DynamicLoader: kernel32.dll/GetTempFileNameA
DynamicLoader: kernel32.dll/SetEndOfFile
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/FindNextFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/SetFilePointerEx
DynamicLoader: kernel32.dll/GetFileAttributesW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: ADVAPI32.dll/ConvertStringSecurityDescriptorToSecurityDescriptorA
DynamicLoader: SHLWAPI.dll/StrRChrA
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: ADVAPI32.dll/GetUserNameA
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: ADVAPI32.dll/RegOpenKeyA
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: SHLWAPI.dll/StrToIntExA
DynamicLoader: SHLWAPI.dll/StrChrA
DynamicLoader: SHLWAPI.dll/StrTrimA
DynamicLoader: SHLWAPI.dll/StrStrIA
DynamicLoader: WINHTTP.dll/WinHttpOpen
DynamicLoader: WINHTTP.dll/WinHttpConnect
DynamicLoader: WINHTTP.dll/WinHttpOpenRequest
DynamicLoader: WINHTTP.dll/WinHttpQueryOption
DynamicLoader: WINHTTP.dll/WinHttpSetOption
DynamicLoader: WINHTTP.dll/WinHttpSendRequest
DynamicLoader: WS2_32.dll/GetAddrInfoW
DynamicLoader: WINHTTP.dll/WinHttpCloseHandle
A process created a hidden window
Process: GZFMSI9xpp5Y7lH.exe -> C:\Users\user\AppData\Local\Temp\6C92\3BA9.bat
The binary likely contains encrypted or compressed data.
section: name: .rsrc, entropy: 8.00, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00045a00, virtual_size: 0x00045910
Uses Windows utilities for basic functionality
command: cmd /C ""C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\GZFMSI~1.EXE""
Uses Windows utilities for basic functionality
command: C:\Users\user\AppData\Local\Temp\6C92\3BA9.bat "C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\GZFMSI~1.EXE"
Queries information on disks for anti-virtualization via Device Information APIs
Behavioural detection: Injection (Process Hollowing)
Injection: corrawex.exe(836) -> svchost.exe(2636)
Executed a process and injected code into it, probably while unpacking
Injection: corrawex.exe(836) -> svchost.exe(2636)
Deletes its original binary from disk
Behavioural detection: Injection (inter-process)
Behavioural detection: Injection with CreateRemoteThread in a remote process
Installs itself for autorun at Windows startup
key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dnshdrt
data: C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\corrawex.exe

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States

DNS

Name Response Post-Analysis Lookup
www.php.net [VT]
groupcreatedt.at [VT]

Summary

C:\Users\user\AppData\Local\Temp\gfycfilt.dll
C:\Windows\System32\gfycfilt.dll
C:\Windows\system\gfycfilt.dll
C:\Windows\gfycfilt.dll
C:\Windows\System32\wbem\gfycfilt.dll
C:\Windows\System32\WindowsPowerShell\v1.0\gfycfilt.dll
C:\Users\user\AppData\Local\Temp\GZFMSI9xpp5Y7lH.exe
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Temp
C:\Windows\sysnative\*.dll
C:\Users\user\AppData\Roaming\Microsoft
C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs
C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\corrawex.exe
C:\Users\user\AppData\Local\Temp\6C92
C:\Users\user\AppData\Local\Temp\6C92\3BA9.bat
C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\6C92\3BA9.bat"
C:\Users\user\AppData\Local\Temp\cmd.*
C:\Users\user\AppData\Local\Temp\cmd
C:\Windows\System32\cmd.*
C:\Windows\System32\cmd.COM
C:\Windows\System32\cmd.exe
C:\
C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe"
C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\gfycfilt.dll
C:\Users\user\AppData\Roaming
C:\Users\user\AppData\Local\Temp\6C92\3BA9.bat
C:\Users\user\AppData\Local\Temp\GZFMSI9xpp5Y7lH.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\LdapClientIntegrity
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\UseOldHostResolutionOrder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\UseHostnameAsAlias
DisableUserModeCallbackFilter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dnshdrt
HKEY_USERS\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Client
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\GZFMSI9xpp5Y7lH.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Ini
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Temp
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Scr
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\{8E20961D-952E-F0AE-8FA2-992433F6DD98}
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Keys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\LdapClientIntegrity
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\UseOldHostResolutionOrder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\UseHostnameAsAlias
DisableUserModeCallbackFilter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dnshdrt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Client
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Ini
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Temp
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Scr
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\{8E20961D-952E-F0AE-8FA2-992433F6DD98}
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Keys
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dnshdrt
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Client
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
kernel32.dll.WriteProcessMemory
kernel32.dll.HeapCreate
kernel32.dll.HeapAlloc
kernel32.dll.HeapFree
kernel32.dll.GetTickCount
ntdll.dll.RtlNtStatusToDosError
ntdll.dll.NtUnmapViewOfSection
ntdll.dll.NtMapViewOfSection
ntdll.dll.memcpy
ntdll.dll.memset
ntdll.dll.ZwClose
ntdll.dll.NtCreateSection
ntdll.dll.mbstowcs
ntdll.dll.ZwOpenProcessToken
ntdll.dll.ZwOpenProcess
ntdll.dll.ZwQueryInformationToken
ntdll.dll.NtQuerySystemInformation
ntdll.dll.RtlFreeUnicodeString
ntdll.dll.ZwQueryInformationProcess
ntdll.dll.RtlUpcaseUnicodeString
ntdll.dll.RtlUnwind
ntdll.dll.NtQueryVirtualMemory
shlwapi.dll.PathFindExtensionW
shlwapi.dll.PathFindFileNameW
shlwapi.dll.PathFindExtensionA
shlwapi.dll.StrRChrA
shlwapi.dll.StrChrA
shlwapi.dll.StrStrIA
shlwapi.dll.StrTrimW
shlwapi.dll.StrChrW
shlwapi.dll.PathFindFileNameA
shlwapi.dll.PathCombineW
setupapi.dll.SetupDiDestroyDeviceInfoList
setupapi.dll.SetupDiEnumDeviceInfo
setupapi.dll.SetupDiGetDeviceRegistryPropertyA
setupapi.dll.SetupDiGetClassDevsA
kernel32.dll.SetEvent
kernel32.dll.Sleep
kernel32.dll.GetExitCodeProcess
kernel32.dll.CreateProcessA
kernel32.dll.lstrlenW
kernel32.dll.GetLastError
kernel32.dll.GetProcAddress
kernel32.dll.ResetEvent
kernel32.dll.LoadLibraryA
kernel32.dll.lstrcmpiW
kernel32.dll.lstrcatW
kernel32.dll.DeleteFileW
kernel32.dll.CreateWaitableTimerA
kernel32.dll.SetFileAttributesW
kernel32.dll.SetWaitableTimer
kernel32.dll.GetModuleHandleA
kernel32.dll.HeapDestroy
kernel32.dll.GetCommandLineW
kernel32.dll.ExitProcess
kernel32.dll.CloseHandle
kernel32.dll.ReadFile
kernel32.dll.WaitForSingleObject
kernel32.dll.CreateFileA
kernel32.dll.CreateEventA
kernel32.dll.GetVersion
kernel32.dll.lstrcmpA
kernel32.dll.GetTempPathA
kernel32.dll.GetTempFileNameA
kernel32.dll.CreateDirectoryA
kernel32.dll.GetFileSize
kernel32.dll.FreeLibrary
kernel32.dll.lstrcpynA
kernel32.dll.GetFileTime
kernel32.dll.FindNextFileA
kernel32.dll.FindClose
kernel32.dll.FindFirstFileA
kernel32.dll.CompareFileTime
kernel32.dll.GetModuleFileNameA
kernel32.dll.lstrcmpiA
kernel32.dll.SetLastError
kernel32.dll.GetModuleHandleW
kernel32.dll.LoadLibraryW
kernel32.dll.TerminateThread
kernel32.dll.GetVersionExW
kernel32.dll.VirtualAlloc
kernel32.dll.IsWow64Process
kernel32.dll.GetCurrentProcessId
kernel32.dll.CreateThread
kernel32.dll.OpenProcess
kernel32.dll.VirtualProtectEx
kernel32.dll.SuspendThread
kernel32.dll.ResumeThread
kernel32.dll.GetLongPathNameW
kernel32.dll.GetModuleFileNameW
kernel32.dll.lstrlenA
kernel32.dll.ExpandEnvironmentStringsA
kernel32.dll.lstrcatA
kernel32.dll.lstrcpyA
kernel32.dll.ExpandEnvironmentStringsW
kernel32.dll.LocalFree
kernel32.dll.SetEndOfFile
kernel32.dll.CreateDirectoryW
kernel32.dll.WriteFile
kernel32.dll.CreateFileW
kernel32.dll.FlushFileBuffers
kernel32.dll.lstrcpyW
kernel32.dll.SetFilePointer
kernel32.dll.VirtualFree
user32.dll.DefWindowProcW
user32.dll.SendMessageW
user32.dll.GetSystemMetrics
user32.dll.CreateWindowExW
user32.dll.SetWindowLongW
user32.dll.SetClassLongW
user32.dll.SystemParametersInfoW
user32.dll.GetAncestor
user32.dll.GetWindowLongW
user32.dll.RegisterClassExW
user32.dll.GetForegroundWindow
user32.dll.TranslateMessage
user32.dll.GetMessageW
user32.dll.keybd_event
user32.dll.DestroyWindow
user32.dll.wsprintfW
user32.dll.wsprintfA
user32.dll.DispatchMessageW
user32.dll.GetCursorInfo
advapi32.dll.OpenProcessToken
advapi32.dll.RegDeleteValueW
advapi32.dll.RegEnumKeyExA
advapi32.dll.RegOpenKeyW
advapi32.dll.GetTokenInformation
advapi32.dll.GetSidSubAuthorityCount
advapi32.dll.GetSidSubAuthority
advapi32.dll.RegSetValueExW
advapi32.dll.RegOpenKeyA
advapi32.dll.RegCreateKeyA
advapi32.dll.ConvertStringSecurityDescriptorToSecurityDescriptorA
advapi32.dll.RegCloseKey
advapi32.dll.RegOpenKeyExA
advapi32.dll.RegQueryValueExW
advapi32.dll.RegSetValueExA
advapi32.dll.RegQueryValueExA
shell32.dll.#92
shell32.dll.ShellExecuteW
shell32.dll.ShellExecuteExW
ole32.dll.CoUninitialize
ole32.dll.CoInitializeEx
wintrust.dll.WinVerifyTrust
user32.dll.FindWindowA
user32.dll.GetWindowThreadProcessId
kernel32.dll.Wow64EnableWow64FsRedirection
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
setupapi.dll.CM_Get_Device_Interface_List_ExW
comctl32.dll.#386
advapi32.dll.UnregisterTraceGuids
comctl32.dll.#321
oleaut32.dll.#9
kernel32.dll.SetThreadUILanguage
kernel32.dll.CopyFileExW
kernel32.dll.IsDebuggerPresent
kernel32.dll.SetConsoleInputExeNameW
advapi32.dll.SaferIdentifyLevel
advapi32.dll.SaferComputeTokenFromLevel
advapi32.dll.SaferCloseLevel
ntdll.dll.ZwWow64QueryInformationProcess64
ntdll.dll.ZwWow64ReadVirtualMemory64
ntdll.dll.strcpy
ntdll.dll.NtResumeProcess
ntdll.dll.NtSuspendProcess
ntdll.dll._snprintf
ntdll.dll._wcsupr
ntdll.dll._strupr
ntdll.dll.memmove
ntdll.dll.wcscpy
ntdll.dll.ZwQueryKey
ntdll.dll.wcstombs
ntdll.dll.RtlImageNtHeader
ntdll.dll.RtlAdjustPrivilege
ntdll.dll.sprintf
ntdll.dll.wcscat
ntdll.dll.__C_specific_handler
ntdll.dll.__chkstk
kernel32.dll.GetComputerNameW
kernel32.dll.FileTimeToLocalFileTime
kernel32.dll.QueueUserWorkItem
kernel32.dll.SystemTimeToFileTime
kernel32.dll.GetLocalTime
kernel32.dll.RemoveDirectoryA
kernel32.dll.DeleteFileA
kernel32.dll.HeapReAlloc
kernel32.dll.GetCurrentThread
kernel32.dll.GetSystemTimeAsFileTime
kernel32.dll.GetWindowsDirectoryA
kernel32.dll.CopyFileW
kernel32.dll.GetCurrentThreadId
kernel32.dll.DuplicateHandle
kernel32.dll.SwitchToThread
kernel32.dll.MapViewOfFile
kernel32.dll.UnmapViewOfFile
kernel32.dll.LeaveCriticalSection
kernel32.dll.EnterCriticalSection
kernel32.dll.OpenWaitableTimerA
kernel32.dll.OpenMutexA
kernel32.dll.WaitForMultipleObjects
kernel32.dll.CreateMutexA
kernel32.dll.ReleaseMutex
kernel32.dll.GetVersionExA
kernel32.dll.InitializeCriticalSection
kernel32.dll.UnregisterWait
kernel32.dll.TlsGetValue
kernel32.dll.LoadLibraryExW
kernel32.dll.TlsSetValue
kernel32.dll.RegisterWaitForSingleObject
kernel32.dll.VirtualProtect
kernel32.dll.TlsAlloc
kernel32.dll.GetDriveTypeW
kernel32.dll.GetLogicalDriveStringsW
kernel32.dll.WideCharToMultiByte
kernel32.dll.CreateFileMappingA
kernel32.dll.OpenFileMappingA
kernel32.dll.GlobalLock
kernel32.dll.GlobalUnlock
kernel32.dll.Thread32First
kernel32.dll.Thread32Next
kernel32.dll.QueueUserAPC
kernel32.dll.OpenThread
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.CallNamedPipeA
kernel32.dll.WaitNamedPipeA
kernel32.dll.ConnectNamedPipe
kernel32.dll.GetOverlappedResult
kernel32.dll.DisconnectNamedPipe
kernel32.dll.CreateNamedPipeA
kernel32.dll.CancelIo
kernel32.dll.GetSystemTime
kernel32.dll.RemoveVectoredExceptionHandler
kernel32.dll.SleepEx
kernel32.dll.AddVectoredExceptionHandler
kernel32.dll.OpenEventA
kernel32.dll.LocalAlloc
kernel32.dll.RaiseException
kernel32.dll.FileTimeToSystemTime
kernel32.dll.DeleteCriticalSection
kernel32.dll.RemoveDirectoryW
kernel32.dll.FindNextFileW
kernel32.dll.FindFirstFileW
kernel32.dll.SetFilePointerEx
kernel32.dll.GetFileAttributesW
oleaut32.dll.#8
oleaut32.dll.#2
oleaut32.dll.#6
advapi32.dll.GetUserNameA
psapi.dll.EnumProcessModules
shlwapi.dll.StrToIntExA
shlwapi.dll.StrTrimA
winhttp.dll.WinHttpOpen
winhttp.dll.WinHttpConnect
winhttp.dll.WinHttpOpenRequest
winhttp.dll.WinHttpQueryOption
winhttp.dll.WinHttpSetOption
winhttp.dll.WinHttpSendRequest
ws2_32.dll.GetAddrInfoW
winhttp.dll.WinHttpCloseHandle
rpcrt4.dll.RpcBindingFree
user32.dll.GetShellWindow
ntdll.dll.RtlExitUserThread
kernel32.dll.CreateRemoteThread
advapi32.dll.GetUserNameW
C:\Users\user\AppData\Local\Temp\6C92\3BA9.bat "C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\GZFMSI~1.EXE"
cmd /C ""C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\GZFMSI~1.EXE""
"C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\GZFMSI~1.EXE"
C:\Windows\system32\svchost.exe
sneddddga
{C0053CCC-1FBE-F2F4-A9F4-C346ED68A7DA}
Local\{C08C1C5D-1F99-F213-A9F4-C346ED68A7DA}
{C4CA9F68-5357-9674-FD38-372A81EC5BFE}

PE Information

Image Base 0x00400000
Entry Point 0x00405493
Reported Checksum 0x000578ee
Actual Checksum 0x000578ee
Minimum OS Version 5.1
Compile Time 2016-05-10 03:04:39
Import Hash cc79e5d1893e37143e121d47aeb51eb4

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00008212 0x00008400 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.36
.data 0x0000a000 0x000006ca 0x00000800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.64
.rsrc 0x0000b000 0x00045910 0x00045a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 8.00

Imports

Library advapi32.dll:
0x402000 CryptSignHashA
0x402004 InitializeAcl
0x402008 RegReplaceKeyW
0x40200c RegSaveKeyA
0x402010 IsTextUnicode
0x402014 RegCreateKeyExA
0x402018 RegLoadKeyA
0x40201c LogonUserA
0x402020 RegEnumKeyA
0x402024 OpenEventLogW
0x402028 ReadEventLogA
0x40202c RegRestoreKeyA
0x402030 RegUnLoadKeyW
Library kernel32.dll:
0x402038 GetProcAddress
0x40203c OpenWaitableTimerW
0x402040 GetTempPathA
0x402044 CreateFileW
0x402048 GetCurrencyFormatA
0x40204c FindResourceExW
0x402050 IsBadWritePtr
0x402054 InterlockedExchange
0x402058 FindFirstFileW
0x40205c GetFullPathNameW
0x402060 GetProfileStringA
0x402064 GlobalAddAtomW
0x402068 LoadLibraryExA
0x40206c SetEvent
0x402070 GetModuleHandleA
0x402074 CreateMutexA
0x402078 GetPriorityClass
0x40207c ReadFile
0x402080 lstrcmp
0x402084 GetConsoleTitleA
0x402088 CreateFileMappingW
0x40208c ResumeThread
0x402090 OpenMutexA
0x402094 FormatMessageW
0x402098 CreateSemaphoreW
0x4020a8 GetConsoleAliasA
0x4020ac GetStartupInfoA
0x4020b0 ReadConsoleW
0x4020b8 FindNextFileA
Library mprapi.dll:
0x4020c0 MprInfoBlockAdd
0x4020c4 MprAdminDeviceEnum
0x4020c8 MprInfoBlockFind
Library crypt32.dll:
0x4020d0 CryptMemFree
0x4020d8 CertFindExtension
0x4020e0 CertCloseStore
0x4020e4 CryptFindOIDInfo
0x4020e8 CertControlStore
0x4020ec CertDuplicateStore
0x4020f0 CryptDecodeMessage
0x4020f8 CertGetNameStringA
0x402104 CertAlgIdToOID
0x402108 CryptMemAlloc
Library certcli.dll:
0x402110 CACloseCA
0x402114 CAEnumFirstCA

.text
`.data
.rsrc
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
OpenEventLogW
RegUnLoadKeyW
CryptSignHashA
ReadEventLogA
IsTextUnicode
RegRestoreKeyA
RegLoadKeyA
RegCreateKeyExA
LogonUserA
RegEnumKeyA
RegReplaceKeyW
InitializeAcl
RegSaveKeyA
advapi32.dll
FindFirstFileW
CreateSemaphoreW
LoadLibraryExA
lstrcmp
ReadFile
CreateFileMappingW
GetFullPathNameW
InterlockedExchange
ResumeThread
GetPriorityClass
GetStartupInfoA
CreateFileW
GetPrivateProfileIntA
FormatMessageW
GetConsoleAliasA
GlobalAddAtomW
GetCurrencyFormatA
InterlockedIncrement
GetProfileStringA
SetEvent
ReadConsoleW
GetConsoleTitleA
GetModuleHandleA
FindNextFileA
GetProcAddress
WaitForSingleObjectEx
GetLogicalDriveStringsW
CreateMutexA
FindResourceExW
OpenWaitableTimerW
IsBadWritePtr
GetTempPathA
OpenMutexA
kernel32.dll
MprInfoBlockAdd
MprAdminDeviceEnum
MprInfoBlockFind
mprapi.dll
CryptMemFree
CertDuplicateStore
CryptMemAlloc
CertAlgIdToOID
CertFindExtension
CryptDecodeMessage
CertDuplicateCRLContext
CertGetNameStringA
CryptBinaryToStringA
CertCompareCertificate
CryptFindOIDInfo
CertControlStore
CertDeleteCRLFromStore
CertCloseStore
CertCreateCRLContext
crypt32.dll
CAEnumFirstCA
CACloseCA
certcli.dll
gbycfilt.dll
egggeProcessMemory
ggrnel32.dll
ggapCreate
oruqvrjjmiprs
ernibkis
sneddddga
hokoa.pdb
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
3QE*8
)cP=u
ZZ#bW
!-"*yv
X2;Hw
MqQ@\
[RK!kU
ljm,8
This file is not on VirusTotal.

Process Tree

  • GZFMSI9xpp5Y7lH.exe 1964
    • cmd.exe 3060 cmd /c ""C:\Users\user\AppData\Local\Temp\6C92\3BA9.bat" "C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\GZFMSI~1.EXE""
      • cmd.exe 2792 cmd /C ""C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\GZFMSI~1.EXE""
        • corrawex.exe 836 "C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\GZFMSI~1.EXE"
  • explorer.exe 1632

GZFMSI9xpp5Y7lH.exe, PID: 1964, Parent PID: 2480
Full Path: C:\Users\user\AppData\Local\Temp\GZFMSI9xpp5Y7lH.exe
Command Line: "C:\Users\user\AppData\Local\Temp\GZFMSI9xpp5Y7lH.exe"
cmd.exe, PID: 3060, Parent PID: 1964
Full Path: C:\Windows\SysWOW64\cmd.exe
Command Line: cmd /c ""C:\Users\user\AppData\Local\Temp\6C92\3BA9.bat" "C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\GZFMSI~1.EXE""
cmd.exe, PID: 2792, Parent PID: 3060
Full Path: C:\Windows\SysWOW64\cmd.exe
Command Line: cmd /C ""C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\GZFMSI~1.EXE""
corrawex.exe, PID: 836, Parent PID: 2792
Full Path: C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\corrawex.exe
Command Line: "C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\GZFMSI~1.EXE"
svchost.exe, PID: 2636, Parent PID: 836
Full Path: C:\Windows\sysnative\svchost.exe
Command Line: C:\Windows\system32\svchost.exe
explorer.exe, PID: 1632, Parent PID: 1496
Full Path: C:\Windows\explorer.exe
Command Line: C:\Windows\Explorer.EXE

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.35.21 53447 8.8.8.8 53
192.168.35.21 57255 8.8.8.8 53
192.168.35.21 58094 8.8.8.8 53
192.168.35.21 65365 8.8.8.8 53
192.168.35.21 65426 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
www.php.net [VT]
groupcreatedt.at [VT]

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.

Comments



No comments posted

Processing ( 1.364 seconds )

  • 0.648 BehaviorAnalysis
  • 0.221 Static
  • 0.169 CAPE
  • 0.166 TargetInfo
  • 0.091 TrID
  • 0.032 Deduplicate
  • 0.019 Strings
  • 0.012 NetworkAnalysis
  • 0.005 AnalysisInfo
  • 0.001 Debug

Signatures ( 0.279 seconds )

  • 0.024 injection_createremotethread
  • 0.023 Doppelganging
  • 0.022 InjectionCreateRemoteThread
  • 0.02 decoy_document
  • 0.018 NewtWire Behavior
  • 0.018 api_spamming
  • 0.016 InjectionInterProcess
  • 0.016 injection_runpe
  • 0.016 InjectionProcessHollowing
  • 0.011 injection_explorer
  • 0.011 antiav_detectreg
  • 0.008 ransomware_files
  • 0.005 antiemu_wine_func
  • 0.005 dynamic_function_loading
  • 0.004 malicious_dynamic_function_loading
  • 0.004 kovter_behavior
  • 0.004 antiav_detectfile
  • 0.004 infostealer_ftp
  • 0.003 infostealer_browser_password
  • 0.003 persistence_autorun
  • 0.003 infostealer_im
  • 0.003 ransomware_extensions
  • 0.002 antidebug_guardpages
  • 0.002 exploit_getbasekerneladdress
  • 0.002 mimics_filetime
  • 0.002 exploit_gethaldispatchtable
  • 0.002 antivm_generic_disk
  • 0.002 stealth_timeout
  • 0.002 antianalysis_detectreg
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_mail
  • 0.001 lsass_credential_dumping
  • 0.001 tinba_behavior
  • 0.001 bootkit
  • 0.001 rat_nanocore
  • 0.001 stack_pivot
  • 0.001 stealth_file
  • 0.001 betabot_behavior
  • 0.001 reads_self
  • 0.001 cerber_behavior
  • 0.001 virus
  • 0.001 hancitor_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 geodo_banking_trojan
  • 0.001 disables_browser_warn
  • 0.001 masquerade_process_name
  • 0.001 network_torgateway

Reporting ( 0.001 seconds )

  • 0.001 CompressResults
Task ID 131470
Mongo ID 5e79d92e0986a12c9f6d5f5c
Cuckoo release 1.3-CAPE
Delete