SecondWrite DeepView - 699b599c78d27f4fa580094899974641229f41433514733b1f084e894f28f537

100

Malicious

This predictive confidence of maliciousness for this sample is 100%.

699b599c78d27f4fa580094899974641229f41433514733b1f084e894f28f537

613.9 kB

Size

2020-06-18 18:58:58

First seen 6 days ago

Windows PE32 Executable

Classification

Full Detail

Ransomware

Low

Trojan

Low

Virus

High

Banker

Low

Bot

Low

Rat

Low

Adware

Low

Infostealer

Low

Worm

Low

Spyware

Low

Indicators

Expand All

SecondWrite Indicators

Forced Code Execution

Automatic Sequence Detection

Program Level Indicators

Anti-Analysis

Attempts to repeatedly call a single API many times in order to delay analysis time

Anti-Av

Disables Windows Security features

Anti-Sandbox

A process attempted to delay the analysis task.

Av-Tools

This sample is detected by clamav as: Win.Virus.Virlock-6332874-0

One or more AV tool detects this sample as malicious: Virus:Win32/Nabucur.A

Generic

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Creates executable files on the filesystem

Expresses interest in specific running processes

Attempts to disable UAC

Http

Performs some HTTP requests

HTTP traffic contains suspicious features which may be indicative of malware related traffic

Network

Performs some DNS requests

Packer

Allocates read-write-execute memory (usually to unpack itself)

PID	API	Arguments
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x004a0000 allocation_type: 4096 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 475136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x00730000 allocation_type: 4096 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x027e0000 allocation_type: 12288 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x004b0000 allocation_type: 12288 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 36700160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x0c980000 allocation_type: 12288 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x028e0000 allocation_type: 12288 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x029e0000 allocation_type: 12288 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x02ae0000 allocation_type: 12288 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x02af0000 allocation_type: 12288 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x02b00000 allocation_type: 12288 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x02b10000 allocation_type: 12288 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x0ef50000 allocation_type: 12288 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x0ef60000 allocation_type: 12288 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x0ef70000 allocation_type: 12288 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x0ef80000 allocation_type: 12288 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x0ef90000 allocation_type: 12288 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x0efa0000 allocation_type: 12288 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x0efb0000 allocation_type: 12288 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x0efc0000 allocation_type: 12288 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x0efe0000 allocation_type: 12288 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x0eff0000 allocation_type: 12288 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x0eff0000 allocation_type: 12288 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x0f000000 allocation_type: 12288 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x0eff0000 allocation_type: 12288 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x0f000000 allocation_type: 12288 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x0f010000 allocation_type: 12288 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x0f020000 allocation_type: 12288 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x0f030000 allocation_type: 12288 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x0f040000 allocation_type: 12288 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x0f050000 allocation_type: 12288 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x0f060000 allocation_type: 12288 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x0f1b0000 allocation_type: 12288 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x0f1c0000 allocation_type: 4096 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x0f1d0000 allocation_type: 4096 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x0f1e0000 allocation_type: 12288 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x0f1b0000 allocation_type: 12288 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x0f1f0000 allocation_type: 12288 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x0f1b0000 allocation_type: 12288 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x0f1f0000 allocation_type: 12288 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x0f1b0000 allocation_type: 12288 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x0f1f0000 allocation_type: 12288 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x0f1b0000 allocation_type: 12288 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x0f1f0000 allocation_type: 12288 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x0f1b0000 allocation_type: 12288 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x0f1f0000 allocation_type: 12288 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x0f200000 allocation_type: 12288 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x0f210000 allocation_type: 12288 process_handle: 0xffffffff
2640	NtAllocateVirtualMemory	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x0f220000 allocation_type: 12288 process_handle: 0xffffffff

The binary likely contains encrypted or compressed data.

Persistence

Installs itself for autorun at Windows startup

Program-Level-Features

Contains obfuscated control-flow to defeat static analysis.

Service

Creates a service

PID	API	Arguments
2640	CreateServiceW	service_start_name: start_type: 2 password: display_name: yMckgwkS filepath: C:\ProgramData\BaYccoIY\CAMIMsAM.exe service_name: yMckgwkS filepath_r: C:\ProgramData\BaYccoIY\CAMIMsAM.exe desired_access: 983103 service_handle: 0x004dfc10 error_control: 0 service_type: 16 service_manager_handle: 0x004dfc38

Static

This sample contains high entropy sections

Contains sections of zero entropy

Stealth

A process created a hidden window

Attempts to modify Explorer settings to prevent file extensions from being displayed

Attempts to modify Explorer settings to prevent hidden files from being displayed

Yara

Yara Pattern Name	Description
IsPE32	No Description Available
HasRichSignature	Rich Signature Check

Static Analysis

Sections

Name	Virtual Address	Virtual Size	Size of Raw Data	Entropy
.text	0x00001000	0x00096000	0x00095200	7.92893709911
.rdata	0x00097000	0x00001000	0x00000200	1.6502284104
.data	0x00098000	0x00000171	0x00000200	6.16799162792
.rsrc	0x00099000	0x00000200	0x00000200	0.0

Imports

Library kernel32.dll:

FindFirstVolumeMountPointW

Library user32.dll:

GetCursor
GetFocus

Strings

!This program cannot be run in DOS mode.
Rich!l
`.rdata
@.data
WE6{^U
9XB;xXB
=XB;xXB
`3XB;xXB
#XB;xXB
YXB;xXB
1XB;xXB
_}^g#Z
7^{<_P
LqVU>L2
KYCRz]
bl(T&m
1Csx5C
1Csx5C
1#px5C
&QNqWk
0ew(Bl
ewR*ug
wh!e~2
HtTPMt
QtTKIq
]vCJK0
H+tuL+
H+t5R+t
Z+t]Q+
H+tUQ+
tuO+t5\+
b+ Qz/
tuO+t5\+
L+tUM+
H+t5_+
?fOMOs
Oso=Os
Oso=OS
*h+p_ed
6}S<U
5R(Rk3-
t0ABf0
u0+vV0
ABb0AbV0}
ABb0AbV0!
r0ABj0
r0Abr0
ABb0AbV0
AB`0A"K0
g0ZY&+
H+@j-6
U (Rx:vk
pw+;P.
+tj[jb
i)!uc(
h+bV5y
D,/V+=
OXou?"
|+8pR-XSR-
uR-XPR-
uR-XkR
uR-XmR-
j;Bjm+
0I+bAs
/JtP6Jg
PW+}mR
S7W?;2M
TyN7j3
~QblHk&.
6PB~F+
oYUhBY
} _w5>
%]_!("
BkH7G1
R;"-ICl/
gbmCb
7Q,/H+=
/I?bA4
0\+C~2
8|I+}^
E"l(U2
W+bYRt
U jOU sk
blgU&-
xjZU}
\R<-x9W)
Ay'RA9
nm+[,g
<(?$pf
@4'SI|g
SAyfRAy
$2-..
Ay&RA9
Dx6Zgo?
H?hclB
ry/g8cz
AygRAy
Q#PY/wm
FzX0mj
|VIUw&
^\GY$vH
AVemA2X
:ugLl;
Ay'RA9
s,#P^O
mA9Gk;
FPW.`6
9qt`:i<
W$j]sV
cKe{! F
^8PM.V
rguUr.
<K/k"~
h:7'1O
a^?k:l
3~%`(E
yT3n*5r
l0lh-R]
DH$i-3E}
CIi?$cG3dY
t;]T.G
Ay&RAy
,3{lU{
iis.jDd
Z*h1x,n
%UE>K[)Nr
e[D3Tb
R}Z8)e
z}bur`
vK:VK1'
h-[,N*4
mfT3\E
~NYag15$
I?F%a?
WFBJjZw
]*gW\r
'G~#z-
kI$ )O
/_hp+F
Tm!rt Z
JY|&I{
5Y I0F
%g{1(%
aTfI4'
zLgT:h
dv1J Be
dz|/NHL
bzJ;.J
@@#Cf~
C6B!Rx
?)+Dt\8lD
!Lb@sC8
x\V;igK
&h,!Y"
j(JAL2
AyfRAy
?;U.yX
wPi]D&
ZEXOtr
nE'gO
#I[)>U
-l`)@) d
]$AAoo
mtE0mp
PwM@@
81s9jN
5*vpp3
gBR?EB
Kvyd+J
'<G[`C
b'|YI1
K4sO#xh
9wgi0fL=1]
RzD:nG
dDu7gH
.m`OlB
fQ}6;/
B2}R>P;-
]<~.\a.
nz!@f]R
CA+5RA9
Ay'RA9
>DG(tm
bPxr+H
zfA|.f
!Ql2>J
A(j2MH
t$faM)
5fNO_^
AbtE&2
=!q/r5%Q
8KII&t"
:QU:/G
P&BxkX
RAcgVay
aA9'Rah
kD\(
;V_)33
oW%n`Ab+9
UqDq9VF
ng52/
ux+)qo
CA+5RA9
S%90r3q
wa6X;&
IDF2C(9
Z(jE|}
tJJEIR
(,l5>W
0CNz5
"N!XucqP
H'k}^j
W9%rA}
GIj;_:j
k;4<:-
xCR8gy
VX7+UE
H,_E/_J
GaeKC^P
Tay72v
lJ^s77
1{IyZRAy
AygRAy
WYEe%<
WCwFE)A
WYEe%<
WCwFE)A
Nz'!DF
s(XN|(X
B<dWD|
AygRAy
s$b/v0
qLpuZ
-*`5sIKO
m:6?4O(
cTYTwd(su%
a Bp#[a
`'XAy
RA}'RAy
JO9`RAy
Wy'RA}
HY.?tj
T;gCKE
n,MrJ
QZ[g9
:gC]4`eiY
VL?Dj"
2EYE?)
xkkC .
R1Xra+
B<dWD|
x'RCy&RAy
G0;'kB
@~A^#;i
B<dWD|
dtb`AE
SDygDA
FY,RAy
@9gRAx
YUB>x"
,7G5>_g
av7<$FJn
7!(hNd
RO:fND
F>a^\E
9zQy=g
[\*^Sj37
*?o3](
h4Nk'7
}'`')&
gJ(:j5
J`NP'6
C0u[n%
Ay&RA9
/%3}zh0
k[}~ne
1riDy}
|c<b4&
TP+i- )
CA+5RA9
7:f/'2
lPYg]H
1[RQ8'RRy
AyfRAx
IDw)@|
9'PCyeR
2UrG+L
r1\M,Ru
381G.{+<f*
4Br-8jw
=+jaJ.
D02=nY
>\:n(p;
[MsY}m
p)0BK$
CX7("#m8W
K^nk/~U
oeKr&~
=qi`\N
&bt&)1
p9(WL{,r!
\uTOGB
AxJ[Vs
NwSJ/G
/ij.zm
#mZ!*8
JgZD*9
BD#M_!
Ay'RA9
AygRAy
C~A9%RAy
^~YghA
q%KDy6M
PEIaMt
y{A4-J
oNKChp
7nz.B`
yFmCSq
`"D@Ek
Xnl`RpN
:F-KR<x
h[MD8#;
)?#k~*
p?63l.
n+c=+O
^$x y
&`1GeC
AyfRAy
$zz_"^
tv^$@5
B<dWD|
'R@9gRA
Td3A~b'
=;r"dS
+pnjTyqP
"w6xil
AK,g0R
mAJC{px
%]n%*8{
-q,#in
Ay&RAy
NvdKWmC
b8}7QD
aI<=10
B'@WkFP
AygRAy
UZm!1Hla
mK'e)zw
T9L^d
K#yROb
e[HcXcP
|{NH0j
k"-;tc
eBJ2cSM
vV6j^i
@h\\Ew
@h\\Ew
&y#&N/
ahD5bk
8a=3wn
J}#|I'=
RA}'RAp
GgmAPg6
Cv(O`E
G(!@Gw
0lK8.D
pNL*Y
WH]aTJ
OyU)8JrY
aa{=<QXbI q]
m*FLn*FLn*EIn
QP'F0h
M{CGqU
!vGkqk
41tT`P
CA+5RA9
Ay'RA9
B^@Y'RAx
|GyvRAz
m/s nZ<
ma]I?{
1hSCP7
Ay&RAy
-R)EM?
L)meO-{Rs
\hD|vt
tlhczO
/9_/,
\ujL_n'
CNrP."{
kyJ,adT
RJ;(Y'V
7M&8Uz
5U[+++
e]xP^=EWT
xVI/;uFQt
~*=jyo
2tEAc{#
Srr#iY
"]c2uE
#[P7(Z
PRl5ja
VeahPg
rm:O}JBLC_@
u_Y)5O
p@^}Ade
~oi2a#
^d{;9
9YS1*V
mA.Omayn
0i<Bqa
~"rR0q
d!54i!?
CA+5RA9
PLY'vAy
rb8M;W
1cVp*X[Z
QMbn)-
oS4p%7
Y;Edbk8
g&w0k>
mzy8~2'
N&m!o]
i{bS+S
2sc"')
E,[y~pvT
Ai\<aYts
f8[mKR
t"raz%;=A
65Zae]
8)4kUS
H PfACw
^}{kxql
:I>&4G
(TphH
ot^p-_
1'V@=#
(FZNg"
<J&Nc,K
d-N`6b(
gSCy%R
z#.Df-
4FRqW2'
p)cyR1
ZrN:_es
Olmaye
+IEIn\
LlAES]
kr88J~
]#]dB
UQstTUI
{H+TW:
ka/PGaXW
E\.Rj3K
Ti9HdI
4s0S=R
k#,yw/
0z*51z8y
6{7Uzl
8]<bff
1U:R@id
fM0Vwj
=F|.@s
Ojc9sW
XQyEj'
OP37h@
Jhf[T/
EuUOK`c
SdmA^,%
C'n}9j
1pN<GkC
n^llbV
{Ps?`T
RAygVAy
@CyMRA
'RAygR
2j!Fhi
'q1+~/
#[J3o|
-h46$n
BngmaTF
A5+m@W
/b+_'t
B<dWD|
AygRA9
n.2aS>B
W'%L/#
)Y3LFl
Ay&RAy
nC@JhQ
-=QS/#
UP1TBx
,hyyTB
gGuTR#
<E2)l
|TivZM"
oHNL5\~
]E=g<l
6`m!(Z.
ef3sPN$
C7_9&R
m/FU*6
q)(y?q
zz));*L
:W= t)
"6Q*cE=4
,oG+=*
g\urRg!b2
fRL!b2
T/y:r~
*iH44*
f7V/yg
O<$D}[
Wbl(TZOP2
0pFd=K
21Qy?P
t\8A`K
21Qy?P
t\8A`K
t\8A`K
D\P.0S[-k
1S[-k\
p\9*0A
0kQ"lhk
^\L=ZL]
^\L=ZL]
h+BP'$
x'jkB~F+q
UvHDGy
^RP"_T
L'_AJgC
tHC^4K
'CC@wH
'CC@wH
.Ad}x@e
.Ah}v@i
|ySPL[
>b{<#o
Pb{<#o
cb{<#o
Mb{<#o
\b{<#o
>b{<#o
cb{<#o
\b{<#o
Mb{<#o
Mb{<#o
Mb{<#o
Mb{<#o
Mb{<#o
bb{<#o
cb{<#o
#oiGM W$<
#oiGM W$<
>b{<#o
cb{<#o
\b{<#o
Mb{<#o
Mb{<#o
Mb{<#o
Mb{<#o
Mb{<#o
>b{<#o
Mb{<#o
Mb{<#o
>b{<#o
cb{<#o
\b{<#o
A5}tEo
xb{<#o
>b{<#o
cb{<#o
\b{<#o
?n&iFG
>b{<#o
cb{<#o
\b{<#o
>b{<#o
cb{<#o
\b{<#o
>b{<#o
cb{<#o
\b{<#o
D5b{<#o
>b{<#o
mb{<#o
DEb{<#o
A5|4]o
xb{<#o
b{<#o
,/W+=J
h'Bpm+
ZB).:B>2+
<<bNLS
"Ha@PK`
blHTX.
5hM(z#"
W+v%Jd
_ZiPUL0
\jblhk$
Ngbf'd
L,oR<}
p(:xL(j
&QN1W+
X@A*Z[A4c[
X+AjT[
X[AJP[
W%=oWt
VINm}I
wVIWC}
]ITb=mT
)~Ra<>Q!2
Qa2~P!5>@
jN?.6C
+*vVe00
zp+B~H+
F+NqWl
v{oB~R+I
`K{8`K
`K{;`K
`K{?`K
CK;Y`K
`K{9`K
J`K{8`K
`K{9`K
`K;=`
`K;;`
U`K{;`+
Mxl<<m
il8<mL
y5g-yu
yuk-yu
y5g-Yr
n+bu@1
;,o=oY
/b/RP{/
/"5|/#
/b/RP{/
x$R/bP
2 cia
-le=oG
p{QblHk
ZBi7:B
e1Gq4Qj!
mu='0X
0)Qb!p
4S.I<b
0H+Z1t
p,Q,xz
xmOj=^
Itmn^p
!^-zO{m;
6:7P^!
6u50:Tcq
Wbl(UMn
%oXe/QX
#iI5`|
0hISaI
*h+8_`
XrkxH
<j9wxf
}F*BoR.
):_<u2_^
i2_HwH
i2_HwH
#_io,[
i2_HwH
$$`x^k
p(Ql`rk
Ex!yUB^d+
8plkB~F+
V=IV_=Ivb=
V=IV_=Ivb=
V=IVC=
bIVQ=IVC=n
V=IVC=mk
Z=I6R=
V=I6R=
N=YoRU
uIVS=I#r=
H=I6r=
M=IVC=d+
M=IVC=d
R=IvS=m1
V=IV]=l22
H=I6r=$
V=IVS=I#r=
I6R=9(~
R=IvS=m
H=I6r=
9ykEfpk<Ol2^
(:Bjy+_
*blhHrN\6p:
;P~ccG
;P~acG
{R~/_G
{G~-{G
;P~acG
C~__g~
{C~*n|
;P~acG
{A~$oG~-{
"Wh7##
tQblHk
(|Ro/|
XRo"|R
(|Ro-|_
m2EWl~
R6$f,d
R6*f,h
D,/U+}
'S&GqM5
~h+bN[f
p5QS~z
\,v-o0
k)6pkpKy
k0Tpr9
q*`W<+<
8eT&=j
D,/T+=
PMssj++
8-L+=*
Q$?B.
]%A_lC
6[p=6+
60^-z[P
.#62[#
zPMp[p
iH5e}]
*$jbdk
**jB~kl
&30c 3
d7v=5r
> $I+E
*c+++#on&a
ic*&+kh
j'o+/*2a+gc
.!*a+&,o
a&c/alh
a&c/alhj
nf+fk/
.!*a+&,o
*r&+ch
ck`acof
#r/k!k
+la*.(
ia"'&a
+&+gkfkajbg*
zcbbfj
d# o"+
kdc,n%/
o%#/i&
'a/f+gd
f"kgh*
'kf*fk`
'*g*nc&r
, kb#`k`g
`/ oa"
f&l oan
`-#/b.&
c*&+.o
o'.i,#r
o'nb,!
ibc+&+
:r+fK3
pwQblhk
h+HVH+>QH4G3H
}Ht|"H
BOHt""H
Qo>nP$
|%>N)[
5@>.59?
6zoo.@
~H+enD
)b)(2R
)Lv(JH
)L6(JH
blHk>M
blhTF/E
] fvB}
;UB>D+
80nkB~f+
WjepRb50
&tg9_?
{#t?MU2
;84l`J$
248Og9
342$W(
{IT;k,%
;X4| m9
mtmIJ%
;{4hIx2
{qtiU5%
rTm\q8
{w4uAk&
[_lP^_
G_lp^_
N_,m^_
*lPN_,
N_l0__
[DlPW_l0__
[_l0Q_
{l0^_2
[_lPJ_
[_l0Q_
[_lP\_IQR
lPP_l6
[_lPL_l
UlPN_P
zl0]_j
lPB_P+}
[_lp]_2
[_l0W_
[_l0__
[_lpN_l
lpH_l>q_
[_l0__
[_lPN_l
S_l0{_
A_t4OF
[_lPL_l
[_l0^_
[_lPB_l
[_lP]_l
zl0^_j
zl0]_j
[_l0__,
[_l0__,
[_l0__,
[_l0__,
[_l0D_
O_l0__
Q_, __
__lpB_
Klp@_l
[_lP@_l
[_l0P_
[_l0\_
[_l0__
[_l0V_
l0O_l8]_
__l0]_
[_l0V_
l0B_ltm_K
[_lP__l
{FlpO_,Eb_
[_l0P_
lP]_lPN_{
ylP]_l
[_l0J_*
l0G_*e_
V_l(W_
[_lP__l
[_l0X_
[_lP__
TlP__l0__
[_l0G_
[_lPB_l
lP__l0__
[_l0__
lpJ_l4p_
[_lP]_l
[_l0I_
N_l4__
Dmx4VG
[_l0^_
[_l0]_
__uh__
[_l0V_
^_lxo_
[_lP]_l
lP^_l%
{chy=t&v
Y<$d9k
<g*"lhk9
"A*<;A
"A*<6A*
"Z*<;A
"A*\?A*\AS-
"A*<%A
"A*<%A
"A*\#A
"A*<&Aja:A
Y_|1GXS7
q!9Zj!
e*\<A*
"A*<;A
Y`1g7X
OI.x%$
AhQr^Y.
iy"=GT.F"
Z*blHk
xe.WP}
5y+l+\
h]gDiwdN
WMt67}9w
-%,Sa*
ohYp\h
dY$IeY
IeYHjdD
^aY0[a
_DSvb(
s+vKMD
7L1Y}u
H0K]DP!
_mND*S
l n@D\
Isf!sq4
f"SSE n
C~}KO~|
3f!SSg
0f!SSG
0f!SSG
0f!SSY
L1b!r3
~akQD8
1^$N.C
d%C!q
> Sb(&
Qy-11l
QtP&1f
5=3>V!]q[
Of^L@F
z,#Rqf
7s.57'
kb^d.f
BS3F!S
y SZ{&3
3f!SSg
q,ukND9
iSWI~q>
f sFF"3
(f!SSG
(f!SSG
f!SSg
f sQE n
aN!Ssd\
1f!SSg
1f!SSg
iS{I~q
f sQE n
1f!SSG
1f!SSg
f SQE n
f sQE n
1f!SSg
1nH!KQY
LDVDe{
nnD8z
nnDz
nnDc}
nnDI|
XyKF]=
wNW;W>#
];W>q<fq
nnE(w
nnDgx
nnDg{
nn'fz
nngpp
V'';V*g
S"buw3
F7w$~+
?v{_}w
d;T;e;
|w;]yt
o{R6u;S
m;^?y|
x;X;x
PF;aj
Z=x{Q5T
_`x{_ax;
OI;LLH;
mJ;JMF
z;S7{;[
"z;cz{
_bz;N0Z
6m;=s
#{{Zz{
V{]{j{
;u;V<u
_%};"};T
tB{]`n;
T{PuN;
9m;W;p{
O;P2L;
P{P2N{PrL{
$|;O.\
J{PnH{
1@{Pn@
rN{P0M;
q;RsP;_
9x{_hr
_ |;^~x
pJ{R3M
_f~{\#~
b~{Tyz
kg;U:b{
s{Vxp;
fh{_e`{
_>u;U7v
c{\b|{
#g{Z6Z
FindFirstVolumeMountPointW
kernel32.dll
GetFocus
GetCursor
user32.dll

Dropped Files

1f04b1692e66f8bb_xkIO.exe

Name: 1f04b1692e66f8bb_xkIO.exe
Size: 5.7 MB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: fea814189850d0828df12121f3ae7455
SHA1: 65757e2dd0d646a1f1d3267222426492b4d2dc2b
SHA256: 1f04b1692e66f8bba4caeb43e252f81e0f9feb5db1363a9d0d64c4e5fc8ce1b6
SHA512: b3ad4eeef275b83808fcee2e025710d73abc928e3594664cdc8fc825c206dda94024418cb192eb4695d8770b8f548453c306ffa2556eda4c4188c4fdfa201c5d
Ssdeep: 98304:aNi+cyQ4B+1VBeiVjEWZ3Cz3ZOb0HaoMsyLQ142u+T8InWxsWDQ:Mi+cyIBC1V8zxsWk

21e6dacab9094c37_dcEc.exe

Name: 21e6dacab9094c37_dcEc.exe
Size: 515.1 kB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: 33f4a7e1b529487a4c8e793ba6e0b2ed
SHA1: f51bc87b5c75f08ff93052c674afa5516f23c96e
SHA256: 21e6dacab9094c37e50a79e03a68214364786d6cf64cf58d52e817e088c4fb6a
SHA512: aa897a70f3a02e96b4c9a89cdee86d899a2bbd42c3059ceac7661565aef1fc09d5efc6427b6b87b7862e567c4659ad2c05e6a31e3e5e5ceda4f9a7fe72a4a8e4
Ssdeep: 12288:aEjGAllK9ckZa8UWjvu8g0eH5F+NWWGOY54tXJjvFshoekj/v35ouH8LYmq:5YBZpzCLV50NW354tXJjvFshBkj/PPHD

2a4d57031801f949_tgoe.exe

Name: 2a4d57031801f949_tgoe.exe
Size: 501.2 kB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: 0e3c2f0b31f2a10afd30efce95a34309
SHA1: f2bfe48b0832a06c23abc38b8c7f08b68cfe3bbc
SHA256: 2a4d57031801f949789f311931cffd39c11657247de0fe74a5801b307455fe87
SHA512: b109d3d70b9e4d3baa521a3b3f521d87abde56746930835b48396e01a1fd74eff60f4529aa0a88602e25c6fca3fdcab2b3c2ffe25b8fac240e4063584fd72cc3
Ssdeep: 12288:szpyowfTyzM3idBR/jtx5jMC4FLd6SjFBSou:sQxfjaBR7r5jMCChpJg

34ffc7b370986af0_yQcG.exe

Name: 34ffc7b370986af0_yQcG.exe
Size: 524.8 kB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: f9031af893528e1d006bd2f896bacbd7
SHA1: f4672480406b3ca031c59596ba975d872630ac80
SHA256: 34ffc7b370986af0a651bf32cb38fdb101166c7556f8076fb5f1f3757fef422a
SHA512: a1ad5988f27653b90a8524ecb1ff769041c6518d9eeaf8ed82bc9d5b23e16125dfcbb279ed29b24ec428d2bdad021a8b0d14ab51e60817cce0ff477569de8954
Ssdeep: 12288:JJfHlQeX1IgbWrxcDmOTg1Y4x0RINnQjQhShS759/:JJfHlQMmhx6L8KCOINnB9/

35a10abc01adcd14_gEga.exe

Name: 35a10abc01adcd14_gEga.exe
Size: 16.5 MB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: 01d40c3cd6c1aca9b791665a885a82dc
SHA1: c83022e9c1c80b5107095350275a6f757844c8c5
SHA256: 35a10abc01adcd14877a1a6a2ab324a90cf68ecc7d18537335926e20091607d4
SHA512: 7c2751ddb46efcd94eaba274e065e6552dee8a96e1864a152bd0206d36ff7b7bfef5da35413778788de660b2526a703e3a7fc9b1743c895cda92a089582263ec
Ssdeep: 393216:TQLDdZe27jK0Fb8aU/BQowlvEG4xwn5+/7KZY:TQLDdQ0SBQoTGcY5zO

40af3f6b6e8d7016_lkMe.exe

Name: 40af3f6b6e8d7016_lkMe.exe
Size: 556.5 kB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: 13fa29ef3842e8c11eee24c2301bd2be
SHA1: 4dd3f259252ec0a8994ec6571d69b32c16ca6e51
SHA256: 40af3f6b6e8d70167eb91c0839618592c9d9403bbce381c45745cac999b494e2
SHA512: 6148cdcff657868e40eb9e2cdab31b1443db5dee751daa5021305f17933f1dc70cdaa1926de7f14cf44e1401a84cded5f6cd34a0a07290497b3dde93978a74e4
Ssdeep: 12288:vC2Y8cuI80nHPCQzXCkjjPtuB6WCN+QJd/UjAD9R4y2xG/AkEM7+YSGMy5RcuXv:FfIm2ykjjPgBTCkQJxUjAD9R4EEbYS2F

466fcc98a4e44804_uQUm.exe

Name: 466fcc98a4e44804_uQUm.exe
Size: 539.1 kB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: 3b7025c9773c7aa9abe333d0c92e5cab
SHA1: e3de814704bfd78f88d949ec2a60b39b224ad04e
SHA256: 466fcc98a4e44804c886c0680a867b42b489e9e8b1bb05b99060198d942a85b8
SHA512: 4514b52ff0074a4003cac59743fbb4187b28e073cbeccc5b5e3bba2e2df5bfa34c83c46e635c5043797676ecc23151e08e2f928695b7e990246747ed074818d0
Ssdeep: 12288:71dDuoTepyoCAn0zBtLcixhErYDzDgdhHd0crP933Lx:7vD2pyTcgsYDwPHecb9H9

51b929867d3d0c43_nQQu.exe

Name: 51b929867d3d0c43_nQQu.exe
Size: 512.0 kB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: 6d35c46ce30a37b34961a35215d97bcf
SHA1: 71aa1865d5a1def8b36e41776b56a2ef39551a1f
SHA256: 51b929867d3d0c43a47ef9cceb2241a263518ab8e74e4849ff316b16f1d1002b
SHA512: 8e55587ee14f9f7211f78e8cc9b9be0bad54b239d2f3469f59ad50840686907f790a5b568639e7292d879ca05bd81c8be5867f42bccca693d13b50ef297f9fe7
Ssdeep: 12288:9tC7ih0rzDJnyXtYrvtz8l/pxWNPEJ3NYJzrrevD0aAUjqh:9tC7m0rz8ybJ0hxWGfYJbe70aLeh

556db5a3943229d4_YUYg.exe

Name: 556db5a3943229d4_YUYg.exe
Size: 4.3 MB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: ed7b51eddf342e25ec356ee0588145e5
SHA1: 48257e481345ecb86629ae2fc58ceb1bf6bce990
SHA256: 556db5a3943229d40c16323ba6441cc8d24a649b28f2dcf8c1d3e6386c9361e9
SHA512: b5b9771c10e8e8687d236e4dbf1152037fc6baf889b2c872a5b79d193eb344abdb896fbc4cedec53110e6638a6bb869841fd3905c88ebb296e942bf9ec3096df
Ssdeep: 49152:rPvLV3ztHS+UeiSB7fcVhiV8nSxpSZU4+DVTxDRDeMty26nhZq0Xc3iRX69gh/Q/:93REeiSBzG7SDSpoV/tgi

88325fcf49a3261f_EggI.exe

Name: 88325fcf49a3261f_EggI.exe
Size: 4.3 MB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: 52d3f2725df575c399006e17a8f3a0e6
SHA1: ab32a245275f2c3d854f55eda5edf01c638a4a79
SHA256: 88325fcf49a3261f58d94ba572989e69e242b724723d6e5cf77d503bffe50428
SHA512: be7c529f771898cefd30ecfd8cf103fdc90ccbb595dd16866a442888e6e379cc78fdb99ae2e03d707bdc09b50ffc480b555dfc56307561df5466e0ed31c5f65f
Ssdeep: 49152:xsWFSPEUu8moGL3jBtiZa6uH4WgCfAp4aXlE14kOX+l:ZoPEUu8m3tiTuH4WgC4p1EUX+l

89504f8480449cfe_cQAw.exe

Name: 89504f8480449cfe_cQAw.exe
Size: 535.6 kB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: 506f50060659de5d761d51635cf17e52
SHA1: 9440f5ae37eb3069675d3b95505a599adb342dea
SHA256: 89504f8480449cfe08fc6cd30d7861d3f9269425b150f690f35129d3f7393e11
SHA512: b16d80311553758c4d5849cec395937a2fcade2afdc08722ab67763e8ba36a54b8d2df2fdf9b2f515180e99e62d782c13a4ae3c2d48c0fcf57f3ce0ba3be59ac
Ssdeep: 12288:DpcqQz1MXYeIAOvN7KllrPFx+W+K87S56PBozmL:DpcVpMXnXyN2vz+O87K+QO

94b8f303a0617acf_zUUe.exe

Name: 94b8f303a0617acf_zUUe.exe
Size: 499.2 kB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: f85cc42d8868a58aa343a348741c76bf
SHA1: ff195c836948173320a76c2c5ac06c53163baec9
SHA256: 94b8f303a0617acf707d9ac93f546db6e657f359606e9e97392e36a08c559f42
SHA512: 33862ffe5d11f9c723bfd279207c3bad474b232a03791e9f33db9ad699ad167fa6be72a1fe1e51a6574124ede5423cfc57e22660316bce985f71f816d8210a4b
Ssdeep: 12288:2d3RQbqqUaB+HlHEfYN7h/geZiMRMnkVKS80oO1MQN9+5:oGhR4FHEfYT/5IMunk4woqT9c

94f5d2da12064396_QMMQ.exe

Name: 94f5d2da12064396_QMMQ.exe
Size: 498.7 kB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: 759dc117c28c138581218e7ccd8777ea
SHA1: 2bb0ea909ece5881013be9a2eebb036603505e78
SHA256: 94f5d2da1206439662ab632f420488d8f398ab8c885fa1fc6961cf15b9b5aba5
SHA512: c6f6abb5078656890ad48f6ff2a8041829ee2935f8ef6253c36c96806ec856898c07f51cdfacceb22ee6333b363dcb5e273239897932a3dd41db0f8e818734ed
Ssdeep: 12288:zjCy5+UIc8P1cBnfrDGQZ+tzdC57CFEsMbJOYSwqiuR:vCyghP1cxfnNupLMjC

98730c7b1b6b5a06_xIIm.exe

Name: 98730c7b1b6b5a06_xIIm.exe
Size: 16.5 MB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: 58d643dad2cf1fb5fa3dba1b31fa5823
SHA1: a58aa775f45576122274bc4f80931d45dddf98b6
SHA256: 98730c7b1b6b5a067d0eaf6baf6ab514c86f0e6c655ee17b24e83775e72914b4
SHA512: 2dc016593d3c86d9d4504827955c133a21fc94b0ad6e6e86e8115a22d1e59ced061f75ef4a96a0633fbd73ef43bec1e0cd3751ac27f6d91d1552a7447529bd84
Ssdeep: 393216:gAsLyKN8k2O9BM+RG99ca2u2wKbMOsACEl++9K+EtdHc:gXyKG0BM+RGLv2u2wZOLCEl++b

9bb26e65103045e2_hQAI.exe

Name: 9bb26e65103045e2_hQAI.exe
Size: 497.7 kB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: 1cad4f78285c744c305d52072795d8dd
SHA1: 215154eb1288f9dd3d22517f201f2bc8026b46fa
SHA256: 9bb26e65103045e2b86ae5bd15a24f46941eb50088b85e502d14f1e13d225f33
SHA512: 73bd915976913c1796346a0b49f85513521bc9b7c0476cf6484dc95e4d0928629f5496808982ea1d14b9dd65f15953c613d9c9df398a03acb51e5aa059b9f4c7
Ssdeep: 12288:EixA6cnOMA7gnK0xoFeXtfg+doDiSRzgd7Cya:itvo/H8XtfKDiM27o

9d116a9a104b6753_WEAO.exe

Name: 9d116a9a104b6753_WEAO.exe
Size: 555.5 kB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: 7ac23eeb399e7ae469d21d2a574367b1
SHA1: e04a67777ac401157f80e81a5e77ec26d4bed46f
SHA256: 9d116a9a104b675365804cd8d23c0712e721811f7c5bfbf43494998f96aa3105
SHA512: 3444c1b719d33b24365d599952e36d5100b1724b4e5a7dc5274c83f98bb58e47affaeca31eee044492006d7af960aade366ab8cba8162b2054bc5f12a3620a3b
Ssdeep: 12288:3yb2IsR3vOxSaebPg+nEqV4xa8ORYarCRs/ceTUBiUN:3uLy0REP3V4xaDGRs/HT0N

ae989f5ed1a3dfa8_SYwa.exe

Name: ae989f5ed1a3dfa8_SYwa.exe
Size: 559.1 kB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: 613af9c4f179904ad46b183bbda3fc39
SHA1: 4d771adb7c212340ad61ee47553edd680ac38876
SHA256: ae989f5ed1a3dfa868e6920d44b4f20951e186d55931076d7196351372dc16c5
SHA512: dd07affd48cfb53de07d3e76e9af864dcd2734602e953aa2141cbafe5bd900251059245fcc8a8ea7d921c813434acda9c3630dad00f0cd7e1eaab9f15e9be944
Ssdeep: 12288:CDKpUDJNWHSVVLKXS8EGKD9ByiAKiNUP2lOdRIBDZk/7ZGPskj:SlrqSHKeXbLUcIBDZk/7ZGkkj

d1eb9511145d5344_YsgY.exe

Name: d1eb9511145d5344_YsgY.exe
Size: 499.2 kB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: eba4463fadcaae91e093f7cc06ead309
SHA1: a34b21dba7893cc3187a103de3c7f84c14aabc9e
SHA256: d1eb9511145d5344ea8b39cdcde93eb2f270335637690b68f586577a6406f1f0
SHA512: 48662f4590c1c27d513965507b0f41c623af74a295d09dc43a247e68b2027cb9cde1e549440aad9ddb839b3d1e23cae66f6a5b27382638451f856ac09eab75fe
Ssdeep: 12288:I8HWPRGsXVeqEVXsU/0QHIod/oSgSbWyJ4gwGD8:dZ0ocQHIodQS/PzD8

d823cb839e9777ee_Xcgk.exe

Name: d823cb839e9777ee_Xcgk.exe
Size: 556.0 kB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: 5888801b898eec1ed2c1b1fcb122327e
SHA1: cd5ebb62cb1e89dfa55872d6adfc2e2676472610
SHA256: d823cb839e9777ee8b9410ffd67c130c216646dff991df2a251d76598a13ebf8
SHA512: ec6b32db4dcc6f55a6866c5f4e0a23b6a1698201ca955684457b17e27fa72dbb72dc2acf6f5d91577ed5eb2129308be2ba406998b6ebed64c896044e67e7ae91
Ssdeep: 12288:QYPtllnxCK245xKPB6aO3RybiuSX9KeBgVDHC:JPBxbt5w56aYy2v9KeSTC

dff4fe7ccdc8beb6_zMIS.exe

Name: dff4fe7ccdc8beb6_zMIS.exe
Size: 5.7 MB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: ed82724c99fe7e71ab8b1d82962ebfc7
SHA1: db9b2c5205f14a8f3874e4fe282970234d410c19
SHA256: dff4fe7ccdc8beb6d68be5e039affdc013386a9d48507f22ff2b3e48e0b116ef
SHA512: 9ff95cdc18b140f647a597d1561a2d93e72ffc2a65d4e138008848d8c282adee41fbb23f040599a7bc8d01283957b60ff62c0e831798b12f143df545620cbf0d
Ssdeep: 49152:f7qXQGXyMly6cP4bVdk55AQttGE5f4euuBvdVsXnct7rYOyn36FebbCraXDyLm6/:DqXQwgAd7WeezVVPVJyvlHM

e34e989fb01df5b4_SQoQ.exe

Name: e34e989fb01df5b4_SQoQ.exe
Size: 503.3 kB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: 910a152e40de858265282dc1662185a2
SHA1: 2f0c4ab2bbc072b5c5fd26d3ad6a4610e170e99c
SHA256: e34e989fb01df5b49779fcc00915f9c39f2feff7e6a6d7d580c6bfc52f8de8b9
SHA512: 21708705c66515289ce17497dbe8e95d8f9fdfaf1296c971d9fe893e0bc6d73c9ab08368208b1a23488968a8267e58fc56970f20d8ad243636b1e10845f7cc3d
Ssdeep: 12288:EYaBnVCaJAd8QIOjtUair/TA1q+YioXVosxO4:YBntOir/TA8+ilo6O4

f7819f3d1ed098cd_BwMM.exe

Name: f7819f3d1ed098cd_BwMM.exe
Size: 527.4 kB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: dfda475b9c5cf83b2a621c4e697cf785
SHA1: 2591b38204d69d2b6b08395f55468d7c9a3b3947
SHA256: f7819f3d1ed098cd43946790b5264efe415cc236682b3f3a2d6e6ea80e74e62e
SHA512: 233bc8c53be08ba0acac4b6606d9fbc4bd1133c6774f8ca6f9f4475a56f061d8b5166cbb18ef4e672987bac50a58b110bfa6dcafb240cd6534ec08619b6c0e8b
Ssdeep: 12288:H8MwoRmOo5JfaFmTrH+ajoqoXBIWvggooFv:HCOkcgTLevgJAv

Network

DNS Requests

Domain	IP Address	Destination Location
google.com	172.217.9.206	US

HTTP Requests

http://google.com/

GET / HTTP/1.1
Host: google.com

Hosts Involved

IP Address	Country of Origin
172.217.12.238	US
216.58.212.142	US

Geolocation

Destination Country

US:: 100%

File

Type: PE32 executable (GUI) Intel 80386, for MS Windows
CRC32: F81F1055
MD5: 60a885fa1742e2962f162b6020768331
SHA1: 10c8c09f8ad868feb570fc6c6430df701ed80859
SHA256: 699b599c78d27f4fa580094899974641229f41433514733b1f084e894f28f537
SHA512: 38181bf960d9d300941c11c87f6c95dc8e3bd307be28e79f74a0a3aff576ebebac065ddcab365a3f5778317223d54509d131cd4b19bd89bd602d0acc319c1a92
Ssdeep: 12288:RqP6BmXvHWj1A8BY9pkJV5h++GcCDFjEmbWPZnivBFYGqeLOI6gk:89W1A8K9pk5h+agDbeZn6FYGqeLOH
PEiD: None matched

Screenshots

Behavior Summary

File-Read

C:\Windows\Fonts\staticcache.dat
C:\Windows\win.ini
\\?\PIPE\samr

File-Written

C:\ProgramData\BaYccoIY\CAMIMsAM.exe
C:\ProgramData\zSgsgkwE\qocgoAYA.exe
C:\Users\Virtual\AppData\Local\Temp\calc_ovl_avx_clear_pattern.exe
C:\Users\Virtual\AppData\Local\Temp\nWoMMcUM.bat
C:\Users\Virtual\IsQUAMQg\JSIMwgEo.exe
\\?\PIPE\samr

File-Deleted

C:\Users\Virtual\AppData\Local\Temp\nWoMMcUM.bat

File-Opened

C:\
C:\ProgramData\zSgsgkwE\qocgoAYA
C:\Users\Virtual\IsQUAMQg\JSIMwgEo
C:\Windows\Fonts\staticcache.dat
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Windows\win.ini
\\?\PIPE\samr

Network-Connects IP

172.217.12.238

Network-Resolves URL

google.com

Directory-Created

C:\ProgramData\BaYccoIY
C:\ProgramData\zSgsgkwE
C:\Users\Virtual\IsQUAMQg

Directory-Enumerated

C:\Users
C:\Users\Virtual
C:\Users\Virtual\AppData
C:\Users\Virtual\AppData\Local
C:\Users\Virtual\AppData\Local\Temp
C:\Users\Virtual\AppData\Local\Temp\calc_ovl_avx_clear_pattern.exe

Registry Key-Opened

HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\calc_ovl_avx_clear_pattern.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Shell Dlg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\Tracing
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
HKEY_LOCAL_MACHINE\system\CurrentControlSet\control\NetworkProvider\HwOrder

Registry Key-Read

HKEY_CURRENT_USER\Control Panel\International\sDecimal
HKEY_CURRENT_USER\Control Panel\International\sGrouping
HKEY_CURRENT_USER\Control Panel\International\sThousand
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\PageAllocatorSystemHeapIsPrivate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\PageAllocatorUseSystemHeap
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\LdapClientIntegrity
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\UseHostnameAsAlias
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\UseOldHostResolutionOrder

Registry Key-Written

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\JSIMwgEo.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qocgoAYA.exe

Mutex-Accessed

1@
JIsYQIME
ZiEIogAM1
dWkMYsEU1
gEQAMQss
è0@
ð0@
ø0@

Processes

Process Name

PID

Parent PID

699b599c78d27f4fa580094899974641229f41433514733b1f084e894f28f537.exe 2640 2288

Filter:

Registry File Process Services Network Synchronization

Show entries

Search:

Time	Repeat	API	Arguments	Result
1592517256.82		__exception__	stacktrace: ["RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x7dea9ed2", "RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x7dea9ea5"] exception: {"address": "0x401000", "exception_code": "0xc0000005", "instruction": "call 0x49617e", "instruction_r": "e8 79 51 09 00 3d 10 ff ff ff 0f 85 60 00 00 00", "module": "699b599c78d27f4fa580094899974641229f41433514733b1f084e894f28f537.exe", "offset": 4096, "symbol": "699b599c78d27f4fa580094899974641229f41433514733b1f084e894f28f537+0x1000"} registers: {"eax": 2111255480, "ebp": 1638292, "ebx": 2130567168, "ecx": 0, "edi": 0, "edx": 4198400, "esi": 0, "esp": 1638284}	Status SUCCESS
1592517256.82		NtProtectVirtualMemory	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 598016 protection: 4 base_address: "0x00401000" process_handle: "0xffffffff"	Status SUCCESS
1592517256.84		NtCreateFile	create_disposition: 3 file_handle: "0x00000070" filepath: "C:\DLLS\ProcessInterceptorDebug.txt" desired_access: "0x40100080" file_attributes: 128 filepath_r: "\??\C:\DLLs\ProcessInterceptorDebug.txt" create_options: 96 status_info: 1 share_access: 3	Status SUCCESS
1592517256.84		GetFileType	file_handle: "0x00000070"	Return Value 1 Status SUCCESS
1592517256.84	2	SetFilePointer	move_method: 2 file_handle: "0x00000070" offset: 0	Return Value 5980 Status SUCCESS
1592517256.84		NtWriteFile	buffer: "" offset: 0 file_handle: "0x00000070" filepath: "C:\DLLS\ProcessInterceptorDebug.txt"	Status SUCCESS
1592517256.84		NtClose	handle: "0x00000070"	Status SUCCESS
1592517256.84		NtCreateFile	create_disposition: 3 file_handle: "0x00000070" filepath: "C:\DLLS\ProcessInterceptorDebug.txt" desired_access: "0x40100080" file_attributes: 128 filepath_r: "\??\C:\DLLs\ProcessInterceptorDebug.txt" create_options: 96 status_info: 1 share_access: 3	Status SUCCESS
1592517256.84		GetFileType	file_handle: "0x00000070"	Return Value 1 Status SUCCESS
1592517256.84	2	SetFilePointer	move_method: 2 file_handle: "0x00000070" offset: 0	Return Value 6039 Status SUCCESS

Showing 1 to 10 of 1,000 entries

Previous1 2 3 4 5…100Next

JSIMwgEo.exe 2692 2640

Filter:

Registry File Process Services Network Synchronization

Show entries

Search:

Time	API	Arguments	Result
1592517260.78	NtClose	handle: "0x00000064"	Status SUCCESS
1592517260.78	NtOpenKey	key_handle: "0x00000064" desired_access: "0x00020019" regkey: "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale"	Status SUCCESS
1592517260.8	NtQueryValueKey	key_handle: "0x00000064" key_name: "" value: "" reg_type: 0 information_class: 1 regkey: "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US"	Return Value 3221225524 Status FAILURE
1592517260.8	NtClose	handle: "0x00000064"	Status SUCCESS
1592517260.8	NtOpenKey	key_handle: "0x00000064" desired_access: "0x00020019" regkey: "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale"	Status SUCCESS
1592517260.8	NtQueryValueKey	key_handle: "0x00000064" key_name: "" value: "" reg_type: 0 information_class: 1 regkey: "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US"	Return Value 3221225524 Status FAILURE
1592517260.8	NtClose	handle: "0x00000064"	Status SUCCESS
1592517260.8	NtProtectVirtualMemory	process_identifier: 2692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 479232 protection: 64 base_address: "0x00401000" process_handle: "0xffffffff"	Status SUCCESS
1592517260.82	NtOpenFile	file_handle: "0x00000064" filepath: "C:\" desired_access: "0x00100000" filepath_r: "\??\C:\" status_info: 1 open_options: 16417 share_access: 0	Status SUCCESS
1592517260.82	NtQueryInformationFile	file_handle: "0x00000064" information_class: 9	Status SUCCESS

Showing 1 to 10 of 2,745 entries

Previous1 2 3 4 5…275Next

cmd.exe 2864 2640

Filter:

Registry File Process Services Network Synchronization

Show entries

Search:

Time	API	Arguments	Result
1592517263.26	GetSystemTimeAsFileTime		Status SUCCESS
1592517263.3	SetUnhandledExceptionFilter		Status FAILURE
1592517263.3	NtOpenThread	access: "0x001fffff" thread_name: "" thread_handle: "0x0000006c" process_identifier: 0	Status SUCCESS
1592517263.3	LdrGetDllHandle	module_name: "KERNEL32.DLL" module_address: "0x7dd60000" stack_pivoted: 0	Status SUCCESS
1592517263.3	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dd8a84f" function_name: "SetThreadUILanguage" module: "kernel32" module_address: "0x7dd60000"	Status SUCCESS
1592517263.34	RegOpenKeyExW	regkey_r: "Software\Policies\Microsoft\Windows\System" base_handle: "0x80000001" key_handle: "0x00000000" options: 0 access: "0x00020019" regkey: "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System"	Return Value 2 Status FAILURE
1592517263.34	RegOpenKeyExW	regkey_r: "Software\Microsoft\Command Processor" base_handle: "0x80000002" key_handle: "0x00000074" options: 0 access: "0x02000000" regkey: "HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor"	Status SUCCESS
1592517263.34	RegQueryValueExW	key_handle: "0x00000074" regkey_r: "DisableUNCCheck" reg_type: 0 value: "" regkey: "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck"	Return Value 2 Status FAILURE
1592517263.34	RegQueryValueExW	key_handle: "0x00000074" regkey_r: "EnableExtensions" reg_type: 4 value: 1 regkey: "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions"	Status SUCCESS
1592517263.34	RegQueryValueExW	key_handle: "0x00000074" regkey_r: "DelayedExpansion" reg_type: 0 value: "" regkey: "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion"	Return Value 2 Status FAILURE

Showing 1 to 10 of 62 entries

Previous1 2 3 4 5 6 7Next

reg.exe 2912 2640

Filter:

Registry File Process Services Network Synchronization

Show entries

Search:

Time	Repeat	API	Arguments	Result
1592517263.48		GetSystemTimeAsFileTime		Status SUCCESS
1592517263.48		SetUnhandledExceptionFilter		Status FAILURE
1592517263.5		LdrLoadDll	module_name: "kernel32.dll" basename: "kernel32" stack_pivoted: 0 flags: 0 module_address: "0x7dd60000"	Status SUCCESS
1592517263.5	2	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dd7719c" function_name: "SortGetHandle" module: "kernel32" module_address: "0x7dd60000"	Status SUCCESS
1592517263.5		GetSystemWindowsDirectoryW	dirpath: "C:\Windows"	Return Value 10 Status SUCCESS
1592517263.51		NtCreateFile	create_disposition: 1 file_handle: "0x00000078" filepath: "C:\Windows\Globalization\Sorting\sortdefault.nls" desired_access: "0x80100080" file_attributes: 128 filepath_r: "\??\C:\Windows\Globalization\Sorting\sortdefault.nls" create_options: 96 status_info: 1 share_access: 1	Status SUCCESS
1592517263.51		NtCreateSection	file_handle: "0x00000078" object_handle: "0x00000000" desired_access: "0x000f0005" protection: 2 section_name: "" section_handle: "0x0000007c"	Status SUCCESS
1592517263.51		NtMapViewOfSection	section_handle: "0x0000007c" process_identifier: 2912 commit_size: 0 win32_protect: 2 buffer: "" base_address: "0x00790000" allocation_type: 0 section_offset: 0 view_size: 2945024 process_handle: "0xffffffff"	Status SUCCESS
1592517263.51	2	NtClose	handle: "0x0000007c"	Status SUCCESS
1592517263.53		RegOpenKeyExW	regkey_r: "Software\Microsoft\Windows\CurrentVersion\Policies\System" base_handle: "0x80000001" key_handle: "0x00000000" options: 0 access: "0x02000000" regkey: "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System"	Return Value 2 Status FAILURE

Showing 1 to 10 of 38 entries

Previous1 2 3 4Next

reg.exe 2956 2640

Filter:

Registry File Process Services Network Synchronization

Show entries

Search:

Time	Repeat	API	Arguments	Result
1592517263.53		GetSystemTimeAsFileTime		Status SUCCESS
1592517263.53		SetUnhandledExceptionFilter		Status FAILURE
1592517263.53		LdrLoadDll	module_name: "kernel32.dll" basename: "kernel32" stack_pivoted: 0 flags: 0 module_address: "0x7dd60000"	Status SUCCESS
1592517263.53	2	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dd7719c" function_name: "SortGetHandle" module: "kernel32" module_address: "0x7dd60000"	Status SUCCESS
1592517263.53		GetSystemWindowsDirectoryW	dirpath: "C:\Windows"	Return Value 10 Status SUCCESS
1592517263.55		NtCreateFile	create_disposition: 1 file_handle: "0x00000078" filepath: "C:\Windows\Globalization\Sorting\sortdefault.nls" desired_access: "0x80100080" file_attributes: 128 filepath_r: "\??\C:\Windows\Globalization\Sorting\sortdefault.nls" create_options: 96 status_info: 1 share_access: 1	Status SUCCESS
1592517263.55		NtCreateSection	file_handle: "0x00000078" object_handle: "0x00000000" desired_access: "0x000f0005" protection: 2 section_name: "" section_handle: "0x0000007c"	Status SUCCESS
1592517263.55		NtMapViewOfSection	section_handle: "0x0000007c" process_identifier: 2956 commit_size: 0 win32_protect: 2 buffer: "" base_address: "0x00820000" allocation_type: 0 section_offset: 0 view_size: 2945024 process_handle: "0xffffffff"	Status SUCCESS
1592517263.55	2	NtClose	handle: "0x0000007c"	Status SUCCESS
1592517263.55		RegOpenKeyExW	regkey_r: "Software\Microsoft\Windows\CurrentVersion\Policies\System" base_handle: "0x80000001" key_handle: "0x00000000" options: 0 access: "0x02000000" regkey: "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System"	Return Value 2 Status FAILURE

Showing 1 to 10 of 38 entries

Previous1 2 3 4Next

reg.exe 3012 2640

Filter:

Registry File Process Services Network Synchronization

Show entries

Search:

Time	Repeat	API	Arguments	Result
1592517263.65		GetSystemTimeAsFileTime		Status SUCCESS
1592517263.65		SetUnhandledExceptionFilter		Status FAILURE
1592517263.65		LdrLoadDll	module_name: "kernel32.dll" basename: "kernel32" stack_pivoted: 0 flags: 0 module_address: "0x7dd60000"	Status SUCCESS
1592517263.65	2	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dd7719c" function_name: "SortGetHandle" module: "kernel32" module_address: "0x7dd60000"	Status SUCCESS
1592517263.65		GetSystemWindowsDirectoryW	dirpath: "C:\Windows"	Return Value 10 Status SUCCESS
1592517263.65		NtCreateFile	create_disposition: 1 file_handle: "0x00000078" filepath: "C:\Windows\Globalization\Sorting\sortdefault.nls" desired_access: "0x80100080" file_attributes: 128 filepath_r: "\??\C:\Windows\Globalization\Sorting\sortdefault.nls" create_options: 96 status_info: 1 share_access: 1	Status SUCCESS
1592517263.65		NtCreateSection	file_handle: "0x00000078" object_handle: "0x00000000" desired_access: "0x000f0005" protection: 2 section_name: "" section_handle: "0x0000007c"	Status SUCCESS
1592517263.65		NtMapViewOfSection	section_handle: "0x0000007c" process_identifier: 3012 commit_size: 0 win32_protect: 2 buffer: "" base_address: "0x00860000" allocation_type: 0 section_offset: 0 view_size: 2945024 process_handle: "0xffffffff"	Status SUCCESS
1592517263.65	2	NtClose	handle: "0x0000007c"	Status SUCCESS
1592517263.65		RegOpenKeyExW	regkey_r: "Software\Microsoft\Windows\CurrentVersion\Policies\System" base_handle: "0x80000001" key_handle: "0x00000000" options: 0 access: "0x02000000" regkey: "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System"	Return Value 2 Status FAILURE

Showing 1 to 10 of 38 entries

Previous1 2 3 4Next

calc_ovl_avx_clear_pattern.exe 2088 2864

Time	API	Arguments	Result
1592517264.15	FindResourceExW	module_handle: "0x01000000" type: "SC" name: "#14" language_identifier: 0	Return Value 16868736 Status SUCCESS
1592517264.15	LoadResource	pointer: "0x0101e3dc" resource_handle: "0x01016580" module_handle: "0x01000000"	Return Value 16901084 Status SUCCESS
1592517264.15	FindResourceExW	module_handle: "0x01000000" type: "#7" name: "#3" language_identifier: 0	Return Value 16868464 Status SUCCESS
1592517264.15	LoadResource	pointer: "0x0101ac28" resource_handle: "0x01016470" module_handle: "0x01000000"	Return Value 16886824 Status SUCCESS
1592517264.15	LoadStringW	module_handle: "0x01000000" id: 0 string: "+/-"	Return Value 3 Status SUCCESS
1592517264.15	LoadStringW	module_handle: "0x01000000" id: 1 string: "C"	Return Value 1 Status SUCCESS
1592517264.15	LoadStringW	module_handle: "0x01000000" id: 2 string: "CE"	Return Value 2 Status SUCCESS
1592517264.15	LoadStringW	module_handle: "0x01000000" id: 3 string: "Backspace"	Return Value 9 Status SUCCESS
1592517264.15	LoadStringW	module_handle: "0x01000000" id: 4 string: "Sta"	Return Value 3 Status SUCCESS
1592517264.15	LoadStringW	module_handle: "0x01000000" id: 5 string: "."	Return Value 1 Status SUCCESS

cmd.exe 2228 1884

Filter:

Registry File Process Services Network Synchronization

Show entries

Search:

Time	API	Arguments	Result
1592517280.27	GetSystemTimeAsFileTime		Status SUCCESS
1592517280.27	SetUnhandledExceptionFilter		Status FAILURE
1592517280.27	NtOpenThread	access: "0x001fffff" thread_name: "" thread_handle: "0x0000006c" process_identifier: 0	Status SUCCESS
1592517280.27	LdrGetDllHandle	module_name: "KERNEL32.DLL" module_address: "0x7dd60000" stack_pivoted: 0	Status SUCCESS
1592517280.27	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dd8a84f" function_name: "SetThreadUILanguage" module: "kernel32" module_address: "0x7dd60000"	Status SUCCESS
1592517280.28	RegOpenKeyExW	regkey_r: "Software\Policies\Microsoft\Windows\System" base_handle: "0x80000001" key_handle: "0x00000000" options: 0 access: "0x00020019" regkey: "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System"	Return Value 2 Status FAILURE
1592517280.28	RegOpenKeyExW	regkey_r: "Software\Microsoft\Command Processor" base_handle: "0x80000002" key_handle: "0x00000074" options: 0 access: "0x02000000" regkey: "HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor"	Status SUCCESS
1592517280.28	RegQueryValueExW	key_handle: "0x00000074" regkey_r: "DisableUNCCheck" reg_type: 0 value: "" regkey: "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck"	Return Value 2 Status FAILURE
1592517280.28	RegQueryValueExW	key_handle: "0x00000074" regkey_r: "EnableExtensions" reg_type: 4 value: 1 regkey: "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions"	Status SUCCESS
1592517280.28	RegQueryValueExW	key_handle: "0x00000074" regkey_r: "DelayedExpansion" reg_type: 0 value: "" regkey: "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion"	Return Value 2 Status FAILURE

Showing 1 to 10 of 62 entries

Previous1 2 3 4 5 6 7Next

reg.exe 1776 1884

Filter:

Registry File Process Services Network Synchronization

Show entries

Search:

Time	Repeat	API	Arguments	Result
1592517280.24		GetSystemTimeAsFileTime		Status SUCCESS
1592517280.24		SetUnhandledExceptionFilter		Status FAILURE
1592517280.24		LdrLoadDll	module_name: "kernel32.dll" basename: "kernel32" stack_pivoted: 0 flags: 0 module_address: "0x7dd60000"	Status SUCCESS
1592517280.24	2	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dd7719c" function_name: "SortGetHandle" module: "kernel32" module_address: "0x7dd60000"	Status SUCCESS
1592517280.24		GetSystemWindowsDirectoryW	dirpath: "C:\Windows"	Return Value 10 Status SUCCESS
1592517280.24		NtCreateFile	create_disposition: 1 file_handle: "0x00000078" filepath: "C:\Windows\Globalization\Sorting\sortdefault.nls" desired_access: "0x80100080" file_attributes: 128 filepath_r: "\??\C:\Windows\Globalization\Sorting\sortdefault.nls" create_options: 96 status_info: 1 share_access: 1	Status SUCCESS
1592517280.24		NtCreateSection	file_handle: "0x00000078" object_handle: "0x00000000" desired_access: "0x000f0005" protection: 2 section_name: "" section_handle: "0x0000007c"	Status SUCCESS
1592517280.24		NtMapViewOfSection	section_handle: "0x0000007c" process_identifier: 1776 commit_size: 0 win32_protect: 2 buffer: "" base_address: "0x00830000" allocation_type: 0 section_offset: 0 view_size: 2945024 process_handle: "0xffffffff"	Status SUCCESS
1592517280.24	2	NtClose	handle: "0x0000007c"	Status SUCCESS
1592517280.24		RegOpenKeyExW	regkey_r: "Software\Microsoft\Windows\CurrentVersion\Policies\System" base_handle: "0x80000001" key_handle: "0x00000000" options: 0 access: "0x02000000" regkey: "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System"	Return Value 2 Status FAILURE

Showing 1 to 10 of 38 entries

Previous1 2 3 4Next

Classification

Indicators

Yara

Static Analysis

Sections

Imports

Library kernel32.dll:

Library user32.dll:

Strings

Dropped Files

1f04b1692e66f8bb_xkIO.exe

21e6dacab9094c37_dcEc.exe

2a4d57031801f949_tgoe.exe

34ffc7b370986af0_yQcG.exe

35a10abc01adcd14_gEga.exe

40af3f6b6e8d7016_lkMe.exe

466fcc98a4e44804_uQUm.exe

51b929867d3d0c43_nQQu.exe

556db5a3943229d4_YUYg.exe

88325fcf49a3261f_EggI.exe

89504f8480449cfe_cQAw.exe

94b8f303a0617acf_zUUe.exe

94f5d2da12064396_QMMQ.exe

98730c7b1b6b5a06_xIIm.exe

9bb26e65103045e2_hQAI.exe

9d116a9a104b6753_WEAO.exe

ae989f5ed1a3dfa8_SYwa.exe

d1eb9511145d5344_YsgY.exe

d823cb839e9777ee_Xcgk.exe

dff4fe7ccdc8beb6_zMIS.exe

e34e989fb01df5b4_SQoQ.exe

f7819f3d1ed098cd_BwMM.exe

Network

DNS Requests

HTTP Requests

http://google.com/

Hosts Involved

Geolocation

Destination Country

File

Screenshots

Behavior Summary

File-Read

File-Written

File-Deleted

File-Opened

Network-Connects IP

Network-Resolves URL

Directory-Created

Directory-Enumerated

Registry Key-Opened

Registry Key-Read

Registry Key-Written

Mutex-Accessed

Processes

699b599c78d27f4fa580094899974641229f41433514733b1f084e894f28f537.exe26402288

JSIMwgEo.exe26922640

cmd.exe28642640

reg.exe29122640

reg.exe29562640

reg.exe30122640

calc_ovl_avx_clear_pattern.exe20882864

cmd.exe22281884

reg.exe17761884

calc_ovl_avx_clear_pattern.exe25002228

699b599c78d27f4fa580094899974641229f41433514733b1f084e894f28f537.exe 2640 2288

JSIMwgEo.exe 2692 2640

cmd.exe 2864 2640

reg.exe 2912 2640

reg.exe 2956 2640

reg.exe 3012 2640

calc_ovl_avx_clear_pattern.exe 2088 2864

cmd.exe 2228 1884

reg.exe 1776 1884

calc_ovl_avx_clear_pattern.exe 2500 2228