Analysis Report

Overview

General Information

Joe Sandbox Version:	20.0.0
Analysis ID:	394065
Start time:	10:18:19
Joe Sandbox Product:	Cloud
Start date:	25.10.2017
Overall analysis duration:	0h 9m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	i0YxTJ2SO.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled GSI enabled (VBA) GSI enabled (Javascript)
Detection:	MAL
Classification:	mal84.evad.spre.expl.rans.winEXE@35/5@0/4
HCA Information:	Successful, ratio: 99% Number of executed functions: 101 Number of non-executed functions: 75
EGA Information:	Successful, ratio: 100%
Cookbook Comments:	Found application associated with file extension: .exe
Warnings:	Show All Connection to analysis system has been lost Exclude process from analysis (whitelisted): conhost.exe, dllhost.exe Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	84	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Signature Overview

Click to jump to signature section

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Show sources

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00475507 CryptAcquireContextW,CryptAcquireContextW,GetLastError,CryptAcquireContextW,	3_2_00475507
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00475BC4 GetSystemInfo,__alldiv,MapViewOfFile,CryptDuplicateHash,CryptHashData,LocalAlloc,CryptGetHashParam,memcpy,FlushViewOfFile,LocalFree,CryptDestroyHash,UnmapViewOfFile,	3_2_00475BC4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_004715A7 GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,HeapAlloc,CryptAcquireContextW,GetProcessHeap,HeapAlloc,CryptImportKey,CryptCreateHash,CryptSetHashParam,GetProcessHeap,HeapFree,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,	3_2_004715A7
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00475A73 GetSystemInfo,__alldiv,MapViewOfFile,CryptDuplicateHash,CryptHashData,LocalAlloc,CryptGetHashParam,LocalFree,CryptDestroyHash,UnmapViewOfFile,	3_2_00475A73
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00475613 CryptStringToBinaryW,CryptStringToBinaryW,LocalAlloc,LocalAlloc,CryptStringToBinaryW,CryptDecodeObjectEx,CryptDecodeObjectEx,LocalAlloc,CryptDecodeObjectEx,CryptImportPublicKeyInfo,LocalFree,LocalFree,	3_2_00475613
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00475D0A CryptDuplicateKey,CreateFileW,GetFileSizeEx,__alldiv,CreateFileMappingW,MapViewOfFile,CryptEncrypt,FlushViewOfFile,UnmapViewOfFile,CloseHandle,CloseHandle,CryptDestroyKey,SetEvent,	3_2_00475D0A
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0047554A CryptAcquireContextW,GetLastError,CryptGenRandom,CryptReleaseContext,	3_2_0047554A
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00476299 CreateEventW,CreateThread,WaitForSingleObject,CloseHandle,CryptDestroyHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,CloseHandle,LocalFree,	3_2_00476299
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0047559B CryptSetKeyParam,CryptSetKeyParam,CryptSetKeyParam,CryptGetKeyParam,LocalAlloc,CryptSetKeyParam,LocalFree,	3_2_0047559B
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00475780 CryptBinaryToStringW,CryptBinaryToStringW,LocalAlloc,CryptBinaryToStringW,LocalFree,	3_2_00475780
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_004756D8 CryptEncrypt,CryptEncrypt,LocalAlloc,memcpy,CryptEncrypt,LocalFree,	3_2_004756D8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00476085 CryptCreateHash,CryptHashData,CryptDeriveKey,CryptDestroyHash,	3_2_00476085
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00476246 CryptCreateHash,CryptHashData,CryptGetHashParam,	3_2_00476246

Spam, unwanted Advertisements and Ransom Demands:

Contains functionality to import cryptographic keys (often used in ransomware)

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_004715A7 GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,HeapAlloc,CryptAcquireContextW,GetProcessHeap,HeapAlloc,CryptImportKey,CryptCreateHash,CryptSetHashParam,GetProcessHeap,HeapFree,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,

3_2_004715A7

Clears the journal log

Show sources

Source: unknown	Process created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:

Clears the windows event log

Show sources

Source: unknown	Process created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:

Exploits:

Connects to many different private IPs (likely to spread or exploit)

Show sources

Source: global traffic	TCP traffic: 192.168.1.1:445
Source: global traffic	TCP traffic: 192.168.1.0:139
Source: global traffic	TCP traffic: 192.168.1.2:80

Connects to many different private IPs via SMB (likely to spread or exploit)

Show sources

Source: global traffic	TCP traffic: 192.168.1.1:445
Source: global traffic	TCP traffic: 192.168.1.0:139
Source: global traffic	TCP traffic: 192.168.1.2:445

Networking:

Contains functionality to download additional files from the internet

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00471EB9 GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,htons,send,recv,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

3_2_00471EB9

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRi82PVYYKWGJWdgVNyePy5kYTdqQQUX5r1blzMzHSa1N197z%2Fb7EyALt0CEA7P9DjI%2Fr81bgTYapgbGlA%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Microsoft-CryptoAPI/6.1Host: ts-ocsp.ws.symantec.com
Source: global traffic	HTTP traffic detected: GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQd11mpyHEqFCSocj4SCu93CBydHAQUr2PWyqNOhXLgp7xB8ymiOH%2BAdWICEFRY8qrXQdZEvISpe6CWUuY%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Microsoft-CryptoAPI/6.1Host: ts-ocsp.ws.symantec.com

Urls found in memory or binary data

Show sources

Source: rundll32.exe	String found in binary or memory: http://192.168.1.2/
Source: rundll32.exe	String found in binary or memory: http://192.168.1.2/g
Source: i0YxTJ2SO.exe, cscc.dat.3.dr, infpub.dat.1.dr	String found in binary or memory: http://crl.thawte.com/thawtetimestampingca.crl0
Source: rundll32.exe, cscc.dat.3.dr, dispci.exe.3.dr	String found in binary or memory: http://diskcryptor.net/
Source: i0YxTJ2SO.exe, cscc.dat.3.dr, infpub.dat.1.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: i0YxTJ2SO.exe, infpub.dat.1.dr	String found in binary or memory: http://rb.symcb.com/rb.crl0w
Source: i0YxTJ2SO.exe, infpub.dat.1.dr	String found in binary or memory: http://rb.symcb.com/rb.crt0
Source: i0YxTJ2SO.exe, infpub.dat.1.dr	String found in binary or memory: http://rb.symcd.com0&
Source: i0YxTJ2SO.exe, infpub.dat.1.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: i0YxTJ2SO.exe, infpub.dat.1.dr	String found in binary or memory: http://s.symcd.com0
Source: i0YxTJ2SO.exe, infpub.dat.1.dr	String found in binary or memory: http://s.symcd.com06
Source: i0YxTJ2SO.exe, infpub.dat.1.dr	String found in binary or memory: http://sf.symcb.com/sf.crl0w
Source: i0YxTJ2SO.exe, infpub.dat.1.dr	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: i0YxTJ2SO.exe, infpub.dat.1.dr	String found in binary or memory: http://sf.symcd.com0&
Source: i0YxTJ2SO.exe, infpub.dat.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: i0YxTJ2SO.exe, cscc.dat.3.dr, infpub.dat.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: i0YxTJ2SO.exe, infpub.dat.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: i0YxTJ2SO.exe, cscc.dat.3.dr, infpub.dat.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: i0YxTJ2SO.exe, cscc.dat.3.dr, infpub.dat.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: i0YxTJ2SO.exe, infpub.dat.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: i0YxTJ2SO.exe, infpub.dat.1.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: infpub.dat.1.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: i0YxTJ2SO.exe, infpub.dat.1.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: i0YxTJ2SO.exe, infpub.dat.1.dr	String found in binary or memory: https://d.symcb.com/rpa06

Boot Survival:

Contains functionality to start windows services

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00479534 wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFindExtensionW,wsprintfW,GetLastError,WNetAddConnection2W,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,OpenSCManagerW,memset,GetSystemTimeAsFileTime,wsprintfW,CreateServiceW,StartServiceW,GetLastError,QueryServiceStatus,Sleep,DeleteService,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,DeleteFileW,WNetCancelConnection2W,SetLastError,

3_2_00479534

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\System32\schtasks.exe schtasks /Delete /F /TN rhaegal

Persistence and Installation Behavior:

Drops PE files

Show sources

Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\dispci.exe
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\cscc.dat
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\9706.tmp
Source: C:\Users\user\Desktop\i0YxTJ2SO.exe	File created: C:\Windows\infpub.dat

Drops PE files to the windows directory (C:\Windows)

Show sources

Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\dispci.exe
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\cscc.dat
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\9706.tmp
Source: C:\Users\user\Desktop\i0YxTJ2SO.exe	File created: C:\Windows\infpub.dat

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Windows\System32\rundll32.exe

Executable created and started: C:\Windows\9706.tmp

Data Obfuscation:

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00479016 VirtualProtect,LoadLibraryA,GetProcAddress,VirtualProtect,

3_2_00479016

PE file contains an invalid checksum

Show sources

Source: 9706.tmp.3.dr

Static PE information: real checksum: 0x114bd should be: 0x1e635

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Windows\9706.tmp

Code function: 10_2_013059E5 push ecx; ret

10_2_013059F8

Spreading:

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00475E9F PathCombineW,FindFirstFileW,WaitForMultipleObjects,PathCombineW,StrStrIW,PathFindExtensionW,FindNextFileW,FindClose,

3_2_00475E9F

Creates COM task schedule object (often to register a task for autostart)

Show sources

Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs

Contains functionality to enumerate network shares of other devices

Show sources

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00479534 wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFindExtensionW,wsprintfW,GetLastError,WNetAddConnection2W,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,OpenSCManagerW,memset,GetSystemTimeAsFileTime,wsprintfW,CreateServiceW,StartServiceW,GetLastError,QueryServiceStatus,Sleep,DeleteService,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,DeleteFileW,WNetCancelConnection2W,SetLastError, \\%s\admin$		3_2_00479534
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00479B63 wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFindExtensionW,wsprintfW,WNetAddConnection2W,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,GetCurrentThread,OpenThreadToken,DuplicateTokenEx,memset,GetSystemDirectoryW,CloseHandle,PathAppendW,PathFileExistsW,wsprintfW,CreateProcessAsUserW,CreateProcessW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,PathFileExistsW,GetLastError,GetLastError,DeleteFileW,CloseHandle,CloseHandle,WNetCancelConnection2W,SetLastError, \\%s\admin$		3_2_00479B63

System Summary:

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: i0YxTJ2SO.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: dcrypt.pdbp source: rundll32.exe, cscc.dat.3.dr
Source:	Binary string: wdigest.pdb source: 9706.tmp
Source:	Binary string: dcrypt.pdb source: rundll32.exe, cscc.dat.3.dr
Source:	Binary string: wdigest.pdbJ6 source: 9706.tmp

Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)

Show sources

Source: cscc.dat.3.dr

Binary string: configFlags\Device\dcrypt\DosDevices\dcryptdump_hiber_%s\$dcsys$$dcsys$\Device\CdRom%s\$DC_TRIM_%x$$dcsys$_fail_%xNTFSFATFAT32exFATH

Binary contains paths to development resources

Show sources

Source: dispci.exe.3.dr	Binary or memory string: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ+feQlVvZcEK0k4uCSF5SkOkF9A3tR6O/xAt89/PVhowvu2TfBTRsnBs83hcFH8hjG2V5F5DxXFoSxpTqVsR4lOm5KB2S8ap4TinG/GN/SVNBFwllpRhV/vRWNmKgKIdROvkHxyALuJyUuCZlIoaJ5tB0YkATEHEyRsLcntZYsdwH1P+NmXiNg2MH5lZ9bEOk7YTMfwVKNqtHaX0LJOyAkx4NR0DPOFLDQONW9OOhZSkRx3V7PC3Q29HHhyiKVCPJsOW1l1mNtwL7KX+7kfNe0CefByEWfSBt1tbkvjdeP2xBnPjb3GE1GA/oGcGjrXc6wV8WKsfYQIDAQAB.3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.\AppData\ProgramData\Program Files\Windows.encrypted%lS OK
Source: i0YxTJ2SO.exe, rundll32.exe, infpub.dat.1.dr	Binary or memory string: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ+feQlVvZcEK0k4uCSF5SkOkF9A3tR6O/xAt89/PVhowvu2TfBTRsnBs83hcFH8hjG2V5F5DxXFoSxpTqVsR4lOm5KB2S8ap4TinG/GN/SVNBFwllpRhV/vRWNmKgKIdROvkHxyALuJyUuCZlIoaJ5tB0YkATEHEyRsLcntZYsdwH1P+NmXiNg2MH5lZ9bEOk7YTMfwVKNqtHaX0LJOyAkx4NR0DPOFLDQONW9OOhZSkRx3V7PC3Q29HHhyiKVCPJsOW1l1mNtwL7KX+7kfNe0CefByEWfSBt1tbkvjdeP2xBnPjb3GE1GA/oGcGjrXc6wV8WKsfYQIDAQAB.3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.\AppData\ProgramData\Program Files\Windows.encrypted*..Readme.txt%s-h-f%dkernel32.dllIsWow64Process\\.\pipe\%ws"%ws" %wsiphlpapi.dllGetExtendedTcpTable%u.%u.%u.%uTERM

Classification label

Show sources

Source: classification engine

Classification label: mal84.evad.spre.expl.rans.winEXE@35/5@0/4

Contains functionality to adjust token privileges (e.g. debug / backup)

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00477CC5 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,SetLastError,

3_2_00477CC5

Contains functionality to create services

Show sources

Source: C:\Windows\System32\rundll32.exe	Code function: OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,		3_2_00471368
Source: C:\Windows\System32\rundll32.exe	Code function: wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFindExtensionW,wsprintfW,GetLastError,WNetAddConnection2W,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,OpenSCManagerW,memset,GetSystemTimeAsFileTime,wsprintfW,CreateServiceW,StartServiceW,GetLastError,QueryServiceStatus,Sleep,DeleteService,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,DeleteFileW,WNetCancelConnection2W,SetLastError,		3_2_00479534

Contains functionality to enum processes or threads

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_004784EE CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

3_2_004784EE

Contains functionality to load and extract PE file embedded resources

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00478313 FindResourceW,LoadResource,LockResource,SizeofResource,GetProcessHeap,GetProcessHeap,HeapAlloc,RtlAllocateHeap,memcpy,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

3_2_00478313

Contains functionality to modify services (start/stop/modify)

Show sources

Source: C:\Windows\System32\rundll32.exe

3_2_00479534

Found command line output

Show sources

Source: C:\Windows\System32\schtasks.exe	Console Write: ........a.~u..0.....E.R.R.O.R.:. .............................}u..........#...}u.... .....i.,.#.G..v..#...........#.....
Source: C:\Windows\System32\schtasks.exe	Console Write: ........a.~u..0.................=.................................W...#.....................g_v.`.#.....X...j..u..(.....
Source: C:\Windows\System32\schtasks.exe	Console Write: ........a.~u..0.............0...L...........................`.....0...2...2..................................{{.....G..v
Source: C:\Windows\System32\schtasks.exe	Console Write: ........a.~u..0.............0...n...........................`.....1...3.x.3.......$...............$.........3p....$.G..v
Source: C:\Windows\System32\shutdown.exe	Console Write: ..............".....A. .s.y.s.t.e.m. .s.h.u.t.d.o.w.n. .i.s. .i.n. .p.r.o.g.r.e.s.s...(.1.1.1.5.)...P.".P...@.".....6...

PE file has an executable .text section and no other executable section

Show sources

Source: i0YxTJ2SO.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads ini files

Show sources

Source: C:\Windows\System32\LogonUI.exe

File read: C:\Windows\win.ini

Reads software policies

Show sources

Source: C:\Users\user\Desktop\i0YxTJ2SO.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Runs a DLL by calling functions

Show sources

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15

Spawns processes

Show sources

Source: unknown	Process created: C:\Users\user\Desktop\i0YxTJ2SO.exe 'C:\Users\user\Desktop\i0YxTJ2SO.exe'
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
Source: unknown	Process created: C:\Windows\System32\cmd.exe /c schtasks /Delete /F /TN rhaegal
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks /Delete /F /TN rhaegal
Source: unknown	Process created: C:\Windows\System32\cmd.exe /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR 'C:\Windows\system32\cmd.exe /C Start \'\' \'C:\Windows\dispci.exe\' -id 3818518496 && exit'
Source: unknown	Process created: C:\Windows\System32\cmd.exe /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR 'C:\Windows\system32\shutdown.exe /r /t 0 /f' /ST 10:36:00
Source: unknown	Process created: C:\Windows\9706.tmp 'C:\Windows\9706.tmp' \\.\pipe\{EE91B260-F47B-4E8B-B208-21BD25A3C0CE}
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR 'C:\Windows\system32\cmd.exe /C Start \'\' \'C:\Windows\dispci.exe\' -id 3818518496 && exit'
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks /Create /SC once /TN drogon /RU SYSTEM /TR 'C:\Windows\system32\shutdown.exe /r /t 0 /f' /ST 10:36:00
Source: unknown	Process created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Source: unknown	Process created: C:\Windows\System32\wevtutil.exe wevtutil cl Setup
Source: unknown	Process created: C:\Windows\System32\shutdown.exe C:\Windows\system32\shutdown.exe /r /t 0 /f
Source: unknown	Process created: C:\Windows\System32\wevtutil.exe wevtutil cl System
Source: unknown	Process created: C:\Windows\System32\wevtutil.exe wevtutil cl Security
Source: unknown	Process created: C:\Windows\System32\cmd.exe /c schtasks /Delete /F /TN drogon
Source: unknown	Process created: C:\Windows\System32\wevtutil.exe wevtutil cl Application
Source: unknown	Process created: C:\Windows\System32\LogonUI.exe 'LogonUI.exe' /flags:0x0
Source: unknown	Process created: C:\Windows\System32\schtasks.exe unknown
Source: unknown	Process created: C:\Windows\System32\fsutil.exe unknown
Source: C:\Users\user\Desktop\i0YxTJ2SO.exe	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c schtasks /Delete /F /TN rhaegal
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR 'C:\Windows\system32\cmd.exe /C Start \'\' \'C:\Windows\dispci.exe\' -id 3818518496 && exit'
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR 'C:\Windows\system32\shutdown.exe /r /t 0 /f' /ST 10:36:00
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\9706.tmp 'C:\Windows\9706.tmp' \\.\pipe\{EE91B260-F47B-4E8B-B208-21BD25A3C0CE}
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c schtasks /Delete /F /TN drogon
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Delete /F /TN rhaegal
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR 'C:\Windows\system32\cmd.exe /C Start \'\' \'C:\Windows\dispci.exe\' -id 3818518496 && exit'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Create /SC once /TN drogon /RU SYSTEM /TR 'C:\Windows\system32\shutdown.exe /r /t 0 /f' /ST 10:36:00
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wevtutil.exe wevtutil cl Setup
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wevtutil.exe wevtutil cl System
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wevtutil.exe wevtutil cl Security
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wevtutil.exe wevtutil cl Application
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe unknown

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Windows\System32\schtasks.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)

Show sources

Source: infpub.dat.1.dr

Static PE information: Section: .rsrc ZLIB complexity 0.995711959814

Contains functionality to call native functions

Show sources

Source: C:\Windows\9706.tmp	Code function: 10_2_01301D4C GetCurrentProcess,NtQueryInformationProcess,RtlGetCurrentPeb,		10_2_01301D4C
Source: C:\Windows\9706.tmp	Code function: 10_2_0130184E NtQuerySystemInformation,GetModuleHandleW,GetProcAddress,LocalAlloc,NtQuerySystemInformation,LocalFree,		10_2_0130184E

Contains functionality to delete services

Show sources

Source: C:\Windows\System32\rundll32.exe

3_2_00479534

Contains functionality to launch a process as a different user

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00479B63 wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFindExtensionW,wsprintfW,WNetAddConnection2W,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,GetCurrentThread,OpenThreadToken,DuplicateTokenEx,memset,GetSystemDirectoryW,CloseHandle,PathAppendW,PathFileExistsW,wsprintfW,CreateProcessAsUserW,CreateProcessW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,PathFileExistsW,GetLastError,GetLastError,DeleteFileW,CloseHandle,CloseHandle,WNetCancelConnection2W,SetLastError,

3_2_00479B63

Contains functionality to shutdown / reboot the system

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00478A23 InitiateSystemShutdownExW,ExitWindowsEx,ExitProcess,

3_2_00478A23

Creates files inside the system directory

Show sources

Source: C:\Users\user\Desktop\i0YxTJ2SO.exe

File created: C:\Windows\infpub.dat

Creates mutexes

Show sources

Source: C:\Windows\System32\rundll32.exe

Mutant created: \Sessions\1\BaseNamedObjects\85427E2A3AD6FDE5

Deletes Windows files

Show sources

Source: C:\Windows\System32\rundll32.exe

File deleted: C:\Windows\infpub.dat

Enables security privileges

Show sources

Source: C:\Windows\System32\wevtutil.exe

Process token adjusted: Security

PE file contains strange resources

Show sources

Source: i0YxTJ2SO.exe	Static PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: i0YxTJ2SO.exe	Static PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST

PE file has an invalid certificate

Show sources

Source: i0YxTJ2SO.exe

Static PE information: invalid certificate

Reads the hosts file

Show sources

Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts

Sample file is different than original file name gathered from version info

Show sources

Source: i0YxTJ2SO.exe	Binary or memory string: OriginalFilenameFlashUtil.exev+ vs i0YxTJ2SO.exe
Source: i0YxTJ2SO.exe	Binary or memory string: OriginalFilenameFlashUtil.exev+ vs i0YxTJ2SO.exe

Sample reads its own file content

Show sources

Source: C:\Users\user\Desktop\i0YxTJ2SO.exe

File read: C:\Users\user\Desktop\i0YxTJ2SO.exe

Contains functionality to create processes via WMI

Show sources

Source: i0YxTJ2SO.exe

Binary or memory string: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ+feQlVvZcEK0k4uCSF5SkOkF9A3tR6O/xAt89/PVhowvu2TfBTRsnBs83hcFH8hjG2V5F5DxXFoSxpTqVsR4lOm5KB2S8ap4TinG/GN/SVNBFwllpRhV/vRWNmKgKIdROvkHxyALuJyUuCZlIoaJ5tB0YkATEHEyRsLcntZYsdwH1P+NmXiNg2MH5lZ9bEOk7YTMfwVKNqtHaX0LJOyAkx4NR0DPOFLDQONW9OOhZSkRx3V7PC3Q29HHhyiKVCPJsOW1l1mNtwL7KX+7kfNe0CefByEWfSBt1tbkvjdeP2xBnPjb3GE1GA/oGcGjrXc6wV8WKsfYQIDAQAB.3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.\AppData\ProgramData\Program Files\Windows.encrypted*..Readme.txt%s-h-f%dkernel32.dllIsWow64Process\\.\pipe\%ws"%ws" %wsiphlpapi.dllGetExtendedTcpTable%u.%u.%u.%uTERM

Uses shutdown.exe to shutdown or reboot the system

Show sources

Source: unknown

Process created: C:\Windows\System32\shutdown.exe C:\Windows\system32\shutdown.exe /r /t 0 /f

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to add an ACL to a security descriptor

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00476FFE GetProcessHeap,GetProcessHeap,HeapAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,ConnectNamedPipe,PeekNamedPipe,Sleep,GetProcessHeap,HeapAlloc,ReadFile,StrChrW,GetProcessHeap,HeapFree,FlushFileBuffers,DisconnectNamedPipe,CloseHandle,

3_2_00476FFE

Contains functionality to create a new security descriptor

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_0047841D GetCurrentProcessId,OpenProcess,OpenProcessToken,CloseHandle,DuplicateToken,AllocateAndInitializeSid,CheckTokenMembership,TerminateProcess,FreeSid,CloseHandle,CloseHandle,CloseHandle,

3_2_0047841D

Creates a process in suspended mode (likely to inject code)

Show sources

Source: C:\Users\user\Desktop\i0YxTJ2SO.exe	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c schtasks /Delete /F /TN rhaegal
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR 'C:\Windows\system32\cmd.exe /C Start \'\' \'C:\Windows\dispci.exe\' -id 3818518496 && exit'
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR 'C:\Windows\system32\shutdown.exe /r /t 0 /f' /ST 10:36:00
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\9706.tmp 'C:\Windows\9706.tmp' \\.\pipe\{EE91B260-F47B-4E8B-B208-21BD25A3C0CE}
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c schtasks /Delete /F /TN drogon
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Delete /F /TN rhaegal
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR 'C:\Windows\system32\cmd.exe /C Start \'\' \'C:\Windows\dispci.exe\' -id 3818518496 && exit'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Create /SC once /TN drogon /RU SYSTEM /TR 'C:\Windows\system32\shutdown.exe /r /t 0 /f' /ST 10:36:00
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wevtutil.exe wevtutil cl Setup
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wevtutil.exe wevtutil cl System
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wevtutil.exe wevtutil cl Security
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wevtutil.exe wevtutil cl Application
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe unknown

Anti Debugging:

Contains functionality to register its own exception handler

Show sources

Source: C:\Users\user\Desktop\i0YxTJ2SO.exe	Code function: 1_2_003E1499 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_003E1499
Source: C:\Windows\9706.tmp	Code function: 10_2_01304D59 SetUnhandledExceptionFilter,	10_2_01304D59
Source: C:\Windows\9706.tmp	Code function: 10_2_01304B37 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_01304B37
Source: C:\Windows\9706.tmp	Code function: 10_2_0130601E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_0130601E

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\System32\rundll32.exe

System information queried: KernelDebuggerInformation

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Show sources

Source: C:\Windows\9706.tmp

Code function: 10_2_01304B37 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

10_2_01304B37

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00479016 VirtualProtect,LoadLibraryA,GetProcAddress,VirtualProtect,

3_2_00479016

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Show sources

Source: C:\Users\user\Desktop\i0YxTJ2SO.exe

Code function: 1_2_003E1690 GetProcessHeap,

1_2_003E1690

Enables debug privileges

Show sources

Source: C:\Windows\System32\rundll32.exe	Process token adjusted: Debug
Source: C:\Windows\9706.tmp	Process token adjusted: Debug

Malware Analysis System Evasion:

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00475E9F PathCombineW,FindFirstFileW,WaitForMultipleObjects,PathCombineW,StrStrIW,PathFindExtensionW,FindNextFileW,FindClose,

3_2_00475E9F

Contains functionality to query system information

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00475BC4 GetSystemInfo,__alldiv,MapViewOfFile,CryptDuplicateHash,CryptHashData,LocalAlloc,CryptGetHashParam,memcpy,FlushViewOfFile,LocalFree,CryptDestroyHash,UnmapViewOfFile,

3_2_00475BC4

Program exit points

Show sources

Source: C:\Windows\System32\rundll32.exe	API call chain: ExitProcess graph end node	graph_3-4855
Source: C:\Windows\System32\rundll32.exe	API call chain: ExitProcess graph end node	graph_3-4748
Source: C:\Windows\System32\rundll32.exe	API call chain: ExitProcess graph end node	graph_3-4766

Queries a list of all running processes

Show sources

Source: C:\Windows\System32\rundll32.exe

Process information queried: ProcessInformation

Contains long sleeps (>= 3 min)

Show sources

Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 2000
Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 500
Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 1000
Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 300000
Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 900000
Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 180000
Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 3000
Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 10000
Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 180000
Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 500

Found decision node followed by non-executed suspicious APIs

Show sources

Source: C:\Windows\System32\rundll32.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_3-5612

Found dropped PE file which has not been started or loaded

Show sources

Source: C:\Windows\System32\rundll32.exe	Dropped PE file which has not been started: C:\Windows\dispci.exe
Source: C:\Windows\System32\rundll32.exe	Dropped PE file which has not been started: C:\Windows\cscc.dat
Source: C:\Windows\System32\rundll32.exe	Dropped PE file which has not been started: C:\Windows\9706.tmp

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\rundll32.exe TID: 3468	Thread sleep time: -2000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 3540	Thread sleep time: -5000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 3548	Thread sleep time: -1000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 3628	Thread sleep time: -300000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 3468	Thread sleep time: -900000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 3544	Thread sleep time: -540000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 3468	Thread sleep time: -3000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 3624	Thread sleep time: -10000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 3544	Thread sleep time: -180000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 3540	Thread sleep time: -500s >= -60s
Source: C:\Windows\System32\LogonUI.exe TID: 3960	Thread sleep time: -60000s >= -60s

Found evasive API chain (may stop execution after checking computer name)

Show sources

Source: C:\Windows\System32\rundll32.exe

Evasive API call chain: GetComputerName,DecisionNodes,ExitProcess

graph_3-4844

Found evasive API chain (may stop execution after checking mutex)

Show sources

Source: C:\Windows\System32\rundll32.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

graph_3-4847

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX

Extensive use of GetProcAddress (often used to hide API calls)

Show sources

Source: C:\Windows\9706.tmp

Code function: 10_2_013025AC GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

10_2_013025AC

Language, Device and Operating System Detection:

Contains functionality to create pipes for IPC

Show sources

Source: C:\Windows\System32\rundll32.exe

3_2_00476FFE

Contains functionality to query local / system time

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00478192 GetLocalTime,GetSystemDirectoryW,PathAppendW,wsprintfW,

3_2_00478192

Contains functionality to query time zone information

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_004757E5 LocalAlloc,GetSystemDefaultLCID,GetTimeZoneInformation,memcpy,NetWkstaGetInfo,memcpy,memcpy,NetApiBufferFree,LocalAlloc,memcpy,LocalFree,LocalFree,

3_2_004757E5

Contains functionality to query windows version

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00471531 GetVersion,

3_2_00471531

Queries the cryptographic machine GUID

Show sources

Source: C:\Windows\System32\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Behavior Graph

Simulations

Behavior and APIs

Time	Type	Description
10:18:44	API Interceptor	1x Sleep call for process: rundll32.exe modified from: 900000ms to: 500ms
10:18:44	API Interceptor	1x Sleep call for process: rundll32.exe modified from: 300000ms to: 500ms
10:18:46	Task Scheduler	Run new task: drogon path: C:\Windows\system32\shutdown.exe s>/r /t 0 /f
10:36:00	API Interceptor	4x Sleep call for process: rundll32.exe modified from: 180000ms to: 500ms
10:36:03	API Interceptor	1x Sleep call for process: LogonUI.exe modified from: 60000ms to: 500ms

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Screenshot

Startup

System is w7_1

i0YxTJ2SO.exe (PID: 3432 cmdline: 'C:\Users\user\Desktop\i0YxTJ2SO.exe' MD5: FBBDC39AF1139AEBBA4DA004475E8839)

rundll32.exe (PID: 3464 cmdline: C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15 MD5: 51138BEEA3E2C21EC44D0932C71762A8)

cmd.exe (PID: 3476 cmdline: /c schtasks /Delete /F /TN rhaegal MD5: AD7B9C14083B52BC532FBA5948342B98)

schtasks.exe (PID: 3496 cmdline: schtasks /Delete /F /TN rhaegal MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

cmd.exe (PID: 3512 cmdline: /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR 'C:\Windows\system32\cmd.exe /C Start \'\' \'C:\Windows\dispci.exe\' -id 3818518496 && exit' MD5: AD7B9C14083B52BC532FBA5948342B98)

schtasks.exe (PID: 3568 cmdline: schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR 'C:\Windows\system32\cmd.exe /C Start \'\' \'C:\Windows\dispci.exe\' -id 3818518496 && exit' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

cmd.exe (PID: 3524 cmdline: /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR 'C:\Windows\system32\shutdown.exe /r /t 0 /f' /ST 10:36:00 MD5: AD7B9C14083B52BC532FBA5948342B98)

schtasks.exe (PID: 3608 cmdline: schtasks /Create /SC once /TN drogon /RU SYSTEM /TR 'C:\Windows\system32\shutdown.exe /r /t 0 /f' /ST 10:36:00 MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

9706.tmp (PID: 3560 cmdline: 'C:\Windows\9706.tmp' \\.\pipe\{EE91B260-F47B-4E8B-B208-21BD25A3C0CE} MD5: 37945C44A897AA42A66ADCAB68F560E0)

cmd.exe (PID: 3656 cmdline: /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C: MD5: AD7B9C14083B52BC532FBA5948342B98)

wevtutil.exe (PID: 3688 cmdline: wevtutil cl Setup MD5: 81538B795F922B8DA6FD897EFB04B5EE)

wevtutil.exe (PID: 3748 cmdline: wevtutil cl System MD5: 81538B795F922B8DA6FD897EFB04B5EE)

wevtutil.exe (PID: 3820 cmdline: wevtutil cl Security MD5: 81538B795F922B8DA6FD897EFB04B5EE)

wevtutil.exe (PID: 3844 cmdline: wevtutil cl Application MD5: 81538B795F922B8DA6FD897EFB04B5EE)

fsutil.exe (PID: 3976 cmdline: unknown MD5: B4834F08230A2EB7F498DE4E5B6AB814)

cmd.exe (PID: 3836 cmdline: /c schtasks /Delete /F /TN drogon MD5: AD7B9C14083B52BC532FBA5948342B98)

schtasks.exe (PID: 3928 cmdline: unknown MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

shutdown.exe (PID: 3708 cmdline: C:\Windows\system32\shutdown.exe /r /t 0 /f MD5: 61739432482891F2DC5745CCA0A67028)

LogonUI.exe (PID: 3900 cmdline: 'LogonUI.exe' /flags:0x0 MD5: 3EF0D8AB08385AAB5802E773511A2E6A)

cleanup

Created / dropped Files

C:\Windows\9706.tmp
File Type:	PE32 executable for MS Windows (console) Intel 80386 32-bit
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	7F10CDA876977CE8C2AFFCFE349A65F6C64D0BDB
SHA-256:	785634393BDB64352EB3705F2E9D3BCAEE754E6B0199C90B4A361A5600FEA3FC
SHA-512:	757F2EC10A018B4019BF9CF5FC26724C168EC0D07AF1E02EE66A5AFBEA9AC6BF255948BEBEE5867E868B3872AA9D40A08644B22F30D3C646F7E1C9AAAEE4BBE6
Malicious:	true
Reputation:	low

C:\Windows\cscc.dat
File Type:	PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	59CD4907A438B8300A467CEE1C6FC31135757039
SHA-256:	682ADCB55FE4649F7B22505A54A9DBC454B4090FC2BB84AF7DB5B0908F3B7806
SHA-512:	9A5FDD0512CAF7AC029C3877CC884286082E4E041F9DC38AB00735DE097D5AC93660671E772737DF3313317D80455048A6059C12ACB6F9AFC32E2E15CB2BBEDF
Malicious:	false
Reputation:	low

C:\Windows\dispci.exe
File Type:	PE32 executable for MS Windows (console) Intel 80386 32-bit
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	AFEEE8B4ACFF87BC469A6F0364A81AE5D60A2ADD
SHA-256:	8EBC97E05C8E1073BDA2EFB6F4D00AD7E789260AFA2C276F0C72740B838A0A93
SHA-512:	F5DCBF3634AEDFE5B8D6255E20015555343ADD5B1BE3801E62A5987E86A3E52495B5CE3156E4F63CF095D0CEDFB63939EAF39BEA379CCAC82A10A4182B8DED22
Malicious:	false
Reputation:	low

C:\Windows\infpub.dat
File Type:	data
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	E9EFC622924FB965D4A14BDB6223834D9A9007E7
SHA-256:	14D82A676B63AB046AE94FA5E41F9F69A65DC7946826CB3D74CEA6C030C2F958
SHA-512:	AFC2A8466F106E81D423065B07AED2529CBF690AB4C3E019334F1BEDFB42DC0E0957BE83D860A84B7285BD49285503BFE95A1CF571A678DBC9BDB07789DA928E
Malicious:	false
Reputation:	low

Contacted Domains/Contacted IPs

Contacted Domains

No contacted domains info

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

IP	Country	ASN	ASN Name	Malicious
192.168.1.1	unknown	unknown	unknown	false
192.168.1.0	unknown	unknown	unknown	false
192.168.1.2	unknown	unknown	unknown	false
23.54.91.27	United States	20940	AKAMAI-ASN1US	false

Static File Info

General
File type:	PE32 executable for MS Windows (console) Intel 80386 32-bit
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	i0YxTJ2SO.exe
File size:	441899
MD5:	fbbdc39af1139aebba4da004475e8839
SHA1:	de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256:	630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA512:	74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&\..G2..G2..G2..?...G2..?...G2......G2......G2..?...G2..G3..G2......G2......G2.Rich.G2.........................PE..L......Y...

File Icon

Static PE Info

General
Entrypoint:	0x4012c0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x59EC0396 [Sun Oct 22 02:33:58 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	e3bda9df66f1f9b2b9b7b068518f2af1

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	12/16/2016 1:00:00 AM 12/18/2017 12:59:59 AM
Subject Chain	CN=Symantec Corporation, OU=STAR Security Engines, O=Symantec Corporation, L=Mountain View, S=California, C=US
Version:	3
Thumbprint:	AD96BB64BA36379D2E354660780C2067B81DA2E0
Serial:	0EBFEA68D677B3E26CAB41C33F3E69DE

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
mov eax, 000012ACh
call 1057CFD8h
mov eax, dword ptr [00408000h]
xor eax, ebp
mov dword ptr [ebp-04h], eax
push esi
mov esi, dword ptr [00404004h]
push edi
call esi
mov edi, eax
test edi, edi
je 1057CDE2h
lea eax, dword ptr [ebp-00001250h]
push eax
mov dword ptr [ebp-00001250h], 00000000h
call esi
push eax
call dword ptr [00404050h]
mov esi, eax
test esi, esi
je 1057CDBEh
cmp dword ptr [ebp-00001250h], 01h
jne 1057CC63h
xor eax, eax
lea ebx, dword ptr [ebx+00000000h]
movzx ecx, word ptr [eax+00406CF0h]
mov word ptr [ebp+eax-0000124Ch], cx
add eax, 02h
test cx, cx
jne 1057CC2Bh
jmp 1057CC98h
mov eax, dword ptr [esi]
push eax
push edi
call dword ptr [00404060h]
mov ecx, dword ptr [esi]
add esp, 08h
lea esi, dword ptr [ecx+02h]
jmp 1057CC45h
lea ecx, dword ptr [ecx+00h]
mov dx, word ptr [ecx]
add ecx, 02h
test dx, dx
jne 1057CC37h
sub ecx, esi
sar ecx, 1
cmp word ptr [eax+ecx*2], 0022h
lea eax, dword ptr [eax+ecx*2]
jne 1057CC45h
add eax, 02h
cmp word ptr [eax], 0020h
jne 1057CC45h
add eax, 02h
lea edx, dword ptr [ebp-0000124Ch]
sub edx, eax
lea ecx, dword ptr [ecx+00h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6d8c	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9000	0x7088	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x689a3	0x3488
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x11000	0x1a8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4000	0x74	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2ed3	0x3000	False	0.610188802083	ump; data	6.58410377892	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x4000	0x302a	0x3200	False	0.81	ump; data	7.17725886834	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x8000	0x33c	0x200	False	0.048828125	ump; data	0.183338791656	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x9000	0x7088	0x7200	False	0.166152686404	ump; data	4.20408578098	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x11000	0x24e	0x400	False	0.41796875	ump; data	3.29313868559	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x9254	0xea8	ump; data	English	United States
RT_ICON	0xa0fc	0x8a8	ump; data	English	United States
RT_ICON	0xa9a4	0x568	ump; GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xaf0c	0x10a8	ump; data	English	United States
RT_ICON	0xbfb4	0x25a8	ump; data	English	United States
RT_ICON	0xe55c	0x10a8	ump; data	English	United States
RT_ICON	0xf604	0x468	ump; GLS_BINARY_LSB_FIRST	English	United States
RT_GROUP_ICON	0xfa6c	0x68	ump; MS Windows icon resource - 7 icons, 48x48, 256-colors	English	United States
RT_VERSION	0xfad4	0x450	ump; data	English	United States
RT_MANIFEST	0xff24	0x161	ump; ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	ExitProcess, GetCommandLineW, GetFileSize, CreateProcessW, HeapAlloc, HeapFree, GetModuleHandleW, GetProcessHeap, WriteFile, GetSystemDirectoryW, ReadFile, GetModuleFileNameW, CreateFileW, lstrcatW, CloseHandle, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, SetUnhandledExceptionFilter
USER32.dll	wsprintfW
SHELL32.dll	CommandLineToArgvW
msvcrt.dll	wcsstr, memcpy, free, malloc

Version Infos

Description	Data
LegalCopyright	Copyright 1996-2017 Adobe Systems Incorporated
InternalName	Adobe Flash Player Installer/Uninstaller 27.0
FileVersion	27,0,0,170
CompanyName	Adobe Systems Incorporated
LegalTrademarks	Adobe Flash Player
ProductName	Adobe Flash Player Installer/Uninstaller
ProductVersion	27,0,0,170
FileDescription	Adobe Flash Player Installer/Uninstaller 27.0 r0
OriginalFilename	FlashUtil.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Okt 25, 2017 10:19:05.549350977 MESZ	49167	80	192.168.1.16	23.54.91.27
Okt 25, 2017 10:19:05.549423933 MESZ	80	49167	23.54.91.27	192.168.1.16
Okt 25, 2017 10:19:05.549571991 MESZ	49167	80	192.168.1.16	23.54.91.27
Okt 25, 2017 10:19:05.549827099 MESZ	49167	80	192.168.1.16	23.54.91.27
Okt 25, 2017 10:19:05.549864054 MESZ	80	49167	23.54.91.27	192.168.1.16
Okt 25, 2017 10:19:06.408255100 MESZ	80	49167	23.54.91.27	192.168.1.16
Okt 25, 2017 10:19:06.408282995 MESZ	80	49167	23.54.91.27	192.168.1.16
Okt 25, 2017 10:19:06.408633947 MESZ	49167	80	192.168.1.16	23.54.91.27
Okt 25, 2017 10:19:11.537026882 MESZ	49171	80	192.168.1.16	192.168.1.2
Okt 25, 2017 10:19:11.537050009 MESZ	80	49171	192.168.1.2	192.168.1.16
Okt 25, 2017 10:19:12.107522011 MESZ	49171	80	192.168.1.16	192.168.1.2
Okt 25, 2017 10:19:12.107568979 MESZ	80	49171	192.168.1.2	192.168.1.16
Okt 25, 2017 10:19:12.607408047 MESZ	49171	80	192.168.1.16	192.168.1.2
Okt 25, 2017 10:19:12.607438087 MESZ	80	49171	192.168.1.2	192.168.1.16
Okt 25, 2017 10:19:12.633356094 MESZ	49175	80	192.168.1.16	192.168.1.2
Okt 25, 2017 10:19:12.633382082 MESZ	80	49175	192.168.1.2	192.168.1.16
Okt 25, 2017 10:19:13.217000961 MESZ	49175	80	192.168.1.16	192.168.1.2
Okt 25, 2017 10:19:13.217032909 MESZ	80	49175	192.168.1.2	192.168.1.16
Okt 25, 2017 10:19:13.716617107 MESZ	49175	80	192.168.1.16	192.168.1.2
Okt 25, 2017 10:19:13.716655016 MESZ	80	49175	192.168.1.2	192.168.1.16
Okt 25, 2017 10:19:13.901700020 MESZ	49182	80	192.168.1.16	192.168.1.2
Okt 25, 2017 10:19:13.901732922 MESZ	80	49182	192.168.1.2	192.168.1.16
Okt 25, 2017 10:19:14.102214098 MESZ	80	49164	23.54.91.27	192.168.1.16
Okt 25, 2017 10:19:14.102286100 MESZ	49164	80	192.168.1.16	23.54.91.27
Okt 25, 2017 10:19:14.102366924 MESZ	49164	80	192.168.1.16	23.54.91.27
Okt 25, 2017 10:19:14.102390051 MESZ	80	49164	23.54.91.27	192.168.1.16
Okt 25, 2017 10:19:14.232072115 MESZ	49167	80	192.168.1.16	23.54.91.27
Okt 25, 2017 10:19:14.232112885 MESZ	80	49167	23.54.91.27	192.168.1.16
Okt 25, 2017 10:19:14.435813904 MESZ	49182	80	192.168.1.16	192.168.1.2
Okt 25, 2017 10:19:14.435853958 MESZ	80	49182	192.168.1.2	192.168.1.16
Okt 25, 2017 10:19:14.935329914 MESZ	49182	80	192.168.1.16	192.168.1.2
Okt 25, 2017 10:19:14.935369968 MESZ	80	49182	192.168.1.2	192.168.1.16
Okt 25, 2017 10:19:15.028579950 MESZ	49185	80	192.168.1.16	192.168.1.2
Okt 25, 2017 10:19:15.028613091 MESZ	80	49185	192.168.1.2	192.168.1.16
Okt 25, 2017 10:19:15.518414021 MESZ	80	49167	23.54.91.27	192.168.1.16
Okt 25, 2017 10:19:15.518435001 MESZ	80	49167	23.54.91.27	192.168.1.16
Okt 25, 2017 10:19:15.518537998 MESZ	49167	80	192.168.1.16	23.54.91.27
Okt 25, 2017 10:19:15.545139074 MESZ	49185	80	192.168.1.16	192.168.1.2
Okt 25, 2017 10:19:15.545197010 MESZ	80	49185	192.168.1.2	192.168.1.16
Okt 25, 2017 10:19:16.044704914 MESZ	49185	80	192.168.1.16	192.168.1.2
Okt 25, 2017 10:19:16.044728041 MESZ	80	49185	192.168.1.2	192.168.1.16
Okt 25, 2017 10:19:31.113209963 MESZ	80	49167	23.54.91.27	192.168.1.16
Okt 25, 2017 10:19:31.316478968 MESZ	80	49167	23.54.91.27	192.168.1.16
Okt 25, 2017 10:19:31.520481110 MESZ	80	49167	23.54.91.27	192.168.1.16
Okt 25, 2017 10:19:31.928483963 MESZ	80	49167	23.54.91.27	192.168.1.16
Okt 25, 2017 10:19:32.744473934 MESZ	80	49167	23.54.91.27	192.168.1.16
Okt 25, 2017 10:19:34.380484104 MESZ	80	49167	23.54.91.27	192.168.1.16
Okt 25, 2017 10:19:37.652494907 MESZ	80	49167	23.54.91.27	192.168.1.16
Okt 25, 2017 10:19:44.196482897 MESZ	80	49167	23.54.91.27	192.168.1.16
Okt 25, 2017 10:19:57.300494909 MESZ	80	49167	23.54.91.27	192.168.1.16

HTTP Request Dependency Graph

ts-ocsp.ws.symantec.com

HTTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Header	Total Bytes Transfered (KB)
Okt 25, 2017 10:19:05.549827099 MESZ	49167	80	192.168.1.16	23.54.91.27	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRi82PVYYKWGJWdgVNyePy5kYTdqQQUX5r1blzMzHSa1N197z%2Fb7EyALt0CEA7P9DjI%2Fr81bgTYapgbGlA%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: ts-ocsp.ws.symantec.com	3
Okt 25, 2017 10:19:06.408255100 MESZ	80	49167	23.54.91.27	192.168.1.16	HTTP/1.1 200 OK Server: nginx/1.10.2 Content-Type: application/ocsp-response Content-Length: 1469 content-transfer-encoding: binary Cache-Control: max-age=419637, public, no-transform, must-revalidate Last-Modified: Mon, 23 Oct 2017 04:49:19 GMT Expires: Mon, 30 Oct 2017 04:49:19 GMT Date: Wed, 25 Oct 2017 08:19:05 GMT Connection: keep-alive Data Raw: 30 82 05 b9 0a 01 00 a0 82 05 b2 30 82 05 ae 06 09 2b 06 01 05 05 07 30 01 01 04 82 05 9f 30 82 05 9b 30 81 9e a2 16 04 14 af f2 0c ff 31 a4 51 0e e1 aa 89 56 f6 a0 cf df 88 11 15 29 18 0f 32 30 31 37 31 30 32 33 30 34 34 39 31 39 5a 30 73 30 71 30 49 30 09 06 05 2b 0e 03 02 1a 05 00 04 14 62 f3 63 d5 61 82 96 18 95 9d 81 53 72 78 fc b9 91 84 dd a9 04 14 5f 9a f5 6e 5c cc cc 74 9a d4 dd 7d ef 3f db ec 4c 80 2e dd 02 10 0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 80 00 18 0f 32 30 31 37 31 30 32 33 30 34 34 39 31 39 5a a0 11 18 0f 32 30 31 37 31 30 33 30 30 34 34 39 31 39 5a 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 82 01 01 00 4f 17 f0 c8 73 f0 94 0b b9 22 58 62 c1 30 57 b3 28 4d 71 d5 ba 31 9a 12 d2 e6 e7 3c 82 35 b8 dc 42 2a f8 36 10 4c 8b 3c 87 1e 8f 27 33 23 68 b9 71 49 e1 68 91 24 63 4b 57 18 90 30 40 7b 5c 95 95 d9 01 19 b3 a0 7b 23 08 e8 6f 6c e1 f7 4b 6c 68 da e9 25 31 68 dc 1c cc 4f c0 99 f6 fb a3 f3 a5 93 10 d3 17 bb 27 b0 e7 2d 23 d9 6f 2f 6d 14 43 57 36 40 6d 09 ae 84 0e 41 69 00 77 44 ee ca d9 54 26 9c 87 67 e8 c1 f8 0d a1 b6 44 90 23 e9 20 22 5f f9 4b a3 df ed 1f 35 94 9e 09 5d 6a a7 0e 0e 88 a6 3b 3c b7 9b 5b 29 e5 82 2f 96 fe b8 ee 5c 25 0c 27 6c 3a a3 70 98 2f 24 c2 4e e3 76 47 de 53 cf 9f 17 0f 8c 47 fd 21 ee 32 83 13 81 b4 78 e2 42 c5 f8 ce f9 87 5d 3c 0b 53 e0 67 7d 8c e0 61 9c a8 f4 7d 2d b3 59 80 b6 ec db d4 59 ca 05 ef fa fb 1e 9d 70 25 46 bf 0a 3b 9c 24 f8 a0 82 03 e2 30 82 03 de 30 82 03 da 30 82 02 c2 a0 03 02 01 02 02 10 1b af 02 f5 b8 fc fa 01 4e 80 47 46 73 25 7f 23 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 30 5e 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 1d 30 1b 06 03 55 04 0a 13 14 53 79 6d 61 6e 74 65 63 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 30 30 2e 06 03 55 04 03 13 27 53 79 6d 61 6e 74 65 63 20 54 69 6d 65 20 53 74 61 6d 70 69 6e 67 20 53 65 72 76 69 63 65 73 20 43 41 20 2d 20 47 32 30 1e 17 0d 31 36 31 32 31 33 30 30 30 30 30 30 5a 17 0d 32 31 31 32 33 31 32 33 35 39 35 39 5a 30 46 31 44 30 42 06 03 55 04 03 13 3b 53 79 6d 61 6e 74 65 63 20 54 69 6d 65 20 53 74 61 6d 70 69 6e 67 20 53 65 72 76 69 63 65 73 20 43 41 20 2d 20 47 32 20 53 48 41 31 20 4f 43 53 50 20 52 65 73 70 6f 6e 64 65 72 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 86 45 f0 3c 53 d4 0c 3c 26 6d 2a a1 c3 a5 ed 80 18 55 80 ec 8c f0 54 5b db 9e d0 0e d5 96 c5 99 82 55 2a 7e 32 c0 15 ae 4c cd e3 c6 07 53 4f 71 be ab f5 58 99 39 8f f7 c7 d6 33 35 e4 0c 6d 18 80 7a d7 0a 55 7b fd 6a 8a 8d 9b 69 d3 a7 48 f2 c1 bd 90 6e 33 cc 02 ef 1f 0d 69 69 9f f3 36 2a 8f c6 e3 14 10 7c 53 b3 66 1f 6e ec 8e a8 cd 6b e1 c9 19 a1 9c 39 96 8a 6f 9c 2c 5f 84 d9 de 5f bb af 3c 1d 31 e2 7a db 68 96 0f 9e ab 9d 49 8f 9a 8d 2f c3 d6 b8 73 7a 04 24 80 34 fa 9f 74 bb a8 59 a3 a7 f9 39 c7 4e 10 1a a1 d8 52 4e 16 a1 4c 4c b4 43 fe 47 df e3 29 08 0e 53 6c df 40 5e cb f6 d3 59 09 63 cb 6f c5 f4 fa e1 71 14 35 88 00 82 41 2f f0 4a 20 81 6d 84 81 61 ed 5e 8e 74 b0 35 e0 cc 2f b1 c3 e8 9c e3 a0 61 a4 66 be 72 70 ff fb f1 4a 0a 42 e7 50 ca 73 a8 98 fc 13 9b 02 03 01 00 01 a3 81 ab 30 81 a8 30 0c 06 03 55 1d 13 01 01 ff 04 02 30 00 30 13 06 03 55 1d 25 04 0c 30 0a 06 08 2b 06 01 05 05 07 03 09 30 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 07 80 30 0f 06 09 2b 06 01 05 05 07 30 01 05 04 02 05 00 30 22 06 03 55 1d 11 04 1b 30 19 Data Ascii: 00+0001QV)20171023044919Z0s0q0I0+bcaSrx_n\t}?L.85njP20171023044919Z20171030044919Z0HOs"Xb0W(Mq1<5B6L<'3#hqIh$cKW0@{\{#olKlh%1hO'-#o/mCW6@mAiwDT&gD# "_K5]j;<[)/\%'l:p/$NvGSG!2xB]<Sg}a}-YYp%F;$000NGFs%#0H0^10UUS10USymantec Corporation100.U'Symantec Time Stamping Services CA - G20161213000000Z211231235959Z0F1D0BU;Symantec Time Stamping Services CA - G2 SHA1 OCSP Responder0"0H0E<S<&mUT[U~2LSOqX935mzU{jiHn3ii6*\|Sfnk9o,__<1zhI/sz$4tY9NRNLLCG)Sl@^Ycoq5A/J ma^t5/afrpJBPs00U00U%0+0U0+00"U0	4
Okt 25, 2017 10:19:06.408282995 MESZ	80	49167	23.54.91.27	192.168.1.16	Data Raw: a4 17 30 15 31 13 30 11 06 03 55 04 03 13 0a 54 47 56 2d 4f 46 46 2d 36 39 30 1d 06 03 55 1d 0e 04 16 04 14 af f2 0c ff 31 a4 51 0e e1 aa 89 56 f6 a0 cf df 88 11 15 29 30 1f 06 03 55 1d 23 04 18 30 16 80 14 5f 9a f5 6e 5c cc cc 74 9a d4 dd 7d ef Data Ascii: 010UTGV-OFF-690U1QV)0U#0_n\t}?L.0*H(J.FR}7/ ~<qRb7Atze{<qOZ>'80eQzwSmQYvM\>brkF$\|Z!%!S^XS:	5
Okt 25, 2017 10:19:14.232072115 MESZ	49167	80	192.168.1.16	23.54.91.27	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQd11mpyHEqFCSocj4SCu93CBydHAQUr2PWyqNOhXLgp7xB8ymiOH%2BAdWICEFRY8qrXQdZEvISpe6CWUuY%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: ts-ocsp.ws.symantec.com	17
Okt 25, 2017 10:19:15.518414021 MESZ	80	49167	23.54.91.27	192.168.1.16	HTTP/1.1 200 OK Server: nginx/1.10.2 Content-Type: application/ocsp-response Content-Length: 1589 content-transfer-encoding: binary Cache-Control: max-age=539105, public, no-transform, must-revalidate Last-Modified: Tue, 24 Oct 2017 14:02:01 GMT Expires: Tue, 31 Oct 2017 14:02:01 GMT Date: Wed, 25 Oct 2017 08:19:14 GMT Connection: keep-alive Data Raw: 30 82 06 31 0a 01 00 a0 82 06 2a 30 82 06 26 06 09 2b 06 01 05 05 07 30 01 01 04 82 06 17 30 82 06 13 30 81 9e a2 16 04 14 d7 13 bb f6 52 bf e9 00 ca 1f 87 36 96 e5 fa 2e 46 75 48 89 18 0f 32 30 31 37 31 30 32 34 31 34 30 32 30 31 5a 30 73 30 71 30 49 30 09 06 05 2b 0e 03 02 1a 05 00 04 14 1d d7 59 a9 c8 71 2a 14 24 a8 72 3e 12 0a ef 77 08 1c 9d 1c 04 14 af 63 d6 ca a3 4e 85 72 e0 a7 bc 41 f3 29 a2 38 7f 80 75 62 02 10 54 58 f2 aa d7 41 d6 44 bc 84 a9 7b a0 96 52 e6 80 00 18 0f 32 30 31 37 31 30 32 34 31 34 30 32 30 31 5a a0 11 18 0f 32 30 31 37 31 30 33 31 31 34 30 32 30 31 5a 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 82 01 01 00 24 bb 19 33 14 54 7b 74 fd f0 45 4c 5d c1 ef ac d0 28 ad f4 11 b2 cf db 13 77 36 07 52 a7 72 31 be 76 55 e9 1d d0 fd 9f 41 7f ea 87 d8 0e 8b ca 24 91 f5 6e d2 58 e1 fe 48 97 6d 63 8f 24 56 8d 51 c2 f6 ee 77 6f df 4e 21 ca ef 3b 3e e1 c6 32 9f 7e 96 96 84 44 6b ed a3 87 c0 65 0d c2 12 f1 d9 f1 69 f2 ab 90 0f df 33 00 22 98 47 0e 5b 85 e2 f2 8b 79 27 1b 4c d1 d9 87 f0 42 62 7b 21 60 15 94 99 a1 d9 4a c6 1b 07 08 5c e0 bf 29 94 ab ae 42 60 b7 f4 74 78 23 01 33 88 80 cd 8a e6 0f 65 9f e3 ca 51 7b aa 6c 50 3b ae 23 d6 fa 68 df 52 75 27 d6 45 76 42 e7 63 09 c4 a4 ba bf cf 6d 42 79 f3 1b 5a 9b 61 dd dd 33 89 29 0b ef e5 28 5c ed 96 b8 7a d6 c3 8e 32 20 9a 02 9f 9f d3 e4 74 40 88 d3 eb f2 40 95 a8 4a 71 a8 07 41 7a ab 71 27 ed 0a 9b 5d b5 bf 14 c3 3a 09 95 7b b2 ea a0 82 04 5a 30 82 04 56 30 82 04 52 30 82 03 3a a0 03 02 01 02 02 10 61 6c b0 aa 9b 5e 44 cc a3 80 d8 ad fb c1 5c aa 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 77 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 1d 30 1b 06 03 55 04 0a 13 14 53 79 6d 61 6e 74 65 63 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 1f 30 1d 06 03 55 04 0b 13 16 53 79 6d 61 6e 74 65 63 20 54 72 75 73 74 20 4e 65 74 77 6f 72 6b 31 28 30 26 06 03 55 04 03 13 1f 53 79 6d 61 6e 74 65 63 20 53 48 41 32 35 36 20 54 69 6d 65 53 74 61 6d 70 69 6e 67 20 43 41 30 1e 17 0d 31 37 30 39 31 30 30 30 30 30 30 30 5a 17 0d 31 37 31 32 30 39 32 33 35 39 35 39 5a 30 39 31 37 30 35 06 03 55 04 03 13 2e 53 79 6d 61 6e 74 65 63 20 53 48 41 32 35 36 20 54 69 6d 65 53 74 61 6d 70 69 6e 67 20 43 41 20 4f 43 53 50 20 52 65 73 70 6f 6e 64 65 72 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 c5 23 81 9b c8 ca 89 c2 fb 16 3a 43 1b 8a 8d 85 40 9a 3a c7 d1 b3 f3 90 80 ef 3f 1a 35 02 51 1f 01 83 b0 71 cb 52 a6 1f b9 e4 1e 62 1f ea 84 e8 fd dd 7a f6 3b 43 fd 90 6a 3d 81 f0 08 c1 c9 94 88 24 d3 e8 71 6f 7c 5c aa 1c 58 f6 68 c0 d3 86 3b 85 8d 28 b9 00 e2 e2 bb 57 be 3a 55 ec 4b f9 54 e9 57 bd 4a 85 57 f2 8c 2c 7c e6 cb 2b c7 47 cb a8 80 9f 8a 6a f1 d7 5f eb df 46 aa fe ce 72 e8 27 27 87 f0 b3 f8 38 4a de d4 8d 48 18 61 18 19 15 f1 f6 2c 53 55 9f 6d 65 17 4d 7c d0 17 09 38 69 d6 52 f1 f2 18 24 83 23 a6 9e f3 4c 3f d9 f9 a4 f2 3f 82 55 89 c4 e3 25 09 e4 8e 2a 90 11 8d 36 dd 7f 97 ba 79 c1 2a c1 ca 15 ce 36 f5 3c 6a d4 34 7e 17 aa ac 87 ca d7 b4 51 89 5f 0c 18 16 34 4e 8b 0c 0b d8 f4 3d 48 f2 b7 56 00 a9 aa 89 4e 4c 6b 5c 85 84 55 32 40 ea 29 a9 a2 2b ab 02 03 01 00 01 a3 82 01 16 30 82 01 12 30 0f 06 09 2b 06 01 05 05 07 30 01 05 04 02 05 00 30 22 06 03 55 1d 11 04 1b 30 19 a4 17 30 15 31 13 30 11 06 03 55 04 03 13 0a 54 47 56 2d 45 2d 32 39 31 37 30 1f 06 03 55 1d 23 04 18 30 16 80 Data Ascii: 010&+000R6.FuH20171024140201Z0s0q0I0+Yq$r>wcNrA)8ubTXAD{R20171024140201Z20171031140201Z0H$3T{tEL](w6Rr1vUA$nXHmc$VQwoN!;>2~Dkei3"G[y'LBb{!`J\)B`tx#3eQ{lP;#hRu'EvBcmByZa3)(\z2 t@@JqAzq']:{Z0V0R0:al^D\0H0w10UUS10USymantec Corporation10USymantec Trust Network1(0&USymantec SHA256 TimeStamping CA0170910000000Z171209235959Z091705U.Symantec SHA256 TimeStamping CA OCSP Responder0"0H0#:C@:?5QqRbz;Cj=$qo\|\Xh;(W:UKTWJW,\|+Gj_Fr''8JHa,SUmeM\|8iR$#L??U%6y*6<j4~Q_4N=HVNLk\U2@)+00+00"U0010UTGV-E-29170U#0	25
Okt 25, 2017 10:19:15.518435001 MESZ	80	49167	23.54.91.27	192.168.1.16	Data Raw: 14 af 63 d6 ca a3 4e 85 72 e0 a7 bc 41 f3 29 a2 38 7f 80 75 62 30 1d 06 03 55 1d 0e 04 16 04 14 d7 13 bb f6 52 bf e9 00 ca 1f 87 36 96 e5 fa 2e 46 75 48 89 30 0c 06 03 55 1d 13 01 01 ff 04 02 30 00 30 13 06 03 55 1d 25 04 0c 30 0a 06 08 2b 06 01 Data Ascii: cNrA)8ub0UR6.FuH0U00U%0+0U0hU a0_0]`HE0N0#+https://d.symcb.com/cps0'+0 https://d.symcb.com/rpa0*HQA{l;x	25

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: i0YxTJ2SO.exe PID: 3432 Parent PID: 3020

General

Start time:	10:18:40
Start date:	25/10/2017
Path:	C:\Users\user\Desktop\i0YxTJ2SO.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\i0YxTJ2SO.exe'
Imagebase:	0x75440000
File size:	441899 bytes
MD5 hash:	FBBDC39AF1139AEBBA4DA004475E8839
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: rundll32.exe PID: 3464 Parent PID: 3432

General

Start time:	10:18:40
Start date:	25/10/2017
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
Imagebase:	0x71880000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 3476 Parent PID: 3464

General

Start time:	10:18:40
Start date:	25/10/2017
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c schtasks /Delete /F /TN rhaegal
Imagebase:	0x75440000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 3496 Parent PID: 3476

General

Start time:	10:18:41
Start date:	25/10/2017
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks /Delete /F /TN rhaegal
Imagebase:	0x75170000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 3512 Parent PID: 3464

General

Start time:	10:18:43
Start date:	25/10/2017
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR 'C:\Windows\system32\cmd.exe /C Start \'\' \'C:\Windows\dispci.exe\' -id 3818518496 && exit'
Imagebase:	0x77390000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 3524 Parent PID: 3464

General

Start time:	10:18:43
Start date:	25/10/2017
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR 'C:\Windows\system32\shutdown.exe /r /t 0 /f' /ST 10:36:00
Imagebase:	0x75440000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: 9706.tmp PID: 3560 Parent PID: 3464

General

Start time:	10:18:43
Start date:	25/10/2017
Path:	C:\Windows\9706.tmp
Wow64 process (32bit):	false
Commandline:	'C:\Windows\9706.tmp' \\.\pipe\{EE91B260-F47B-4E8B-B208-21BD25A3C0CE}
Imagebase:	0x77390000
File size:	53624 bytes
MD5 hash:	37945C44A897AA42A66ADCAB68F560E0
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 3568 Parent PID: 3512

General

Start time:	10:18:43
Start date:	25/10/2017
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR 'C:\Windows\system32\cmd.exe /C Start \'\' \'C:\Windows\dispci.exe\' -id 3818518496 && exit'
Imagebase:	0x73d30000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 3608 Parent PID: 3524

General

Start time:	10:18:43
Start date:	25/10/2017
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks /Create /SC once /TN drogon /RU SYSTEM /TR 'C:\Windows\system32\shutdown.exe /r /t 0 /f' /ST 10:36:00
Imagebase:	0x73d30000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 3656 Parent PID: 3464

General

Start time:	10:18:45
Start date:	25/10/2017
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Imagebase:	0x75790000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: wevtutil.exe PID: 3688 Parent PID: 3656

General

Start time:	10:36:00
Start date:	25/10/2017
Path:	C:\Windows\System32\wevtutil.exe
Wow64 process (32bit):	false
Commandline:	wevtutil cl Setup
Imagebase:	0x76eb0000
File size:	175616 bytes
MD5 hash:	81538B795F922B8DA6FD897EFB04B5EE
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: shutdown.exe PID: 3708 Parent PID: 1568

General

Start time:	10:36:00
Start date:	25/10/2017
Path:	C:\Windows\System32\shutdown.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\shutdown.exe /r /t 0 /f
Imagebase:	0x77390000
File size:	30720 bytes
MD5 hash:	61739432482891F2DC5745CCA0A67028
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: wevtutil.exe PID: 3748 Parent PID: 3656

General

Start time:	10:36:01
Start date:	25/10/2017
Path:	C:\Windows\System32\wevtutil.exe
Wow64 process (32bit):	false
Commandline:	wevtutil cl System
Imagebase:	0x74ec0000
File size:	175616 bytes
MD5 hash:	81538B795F922B8DA6FD897EFB04B5EE
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: wevtutil.exe PID: 3820 Parent PID: 3656

General

Start time:	10:36:01
Start date:	25/10/2017
Path:	C:\Windows\System32\wevtutil.exe
Wow64 process (32bit):	false
Commandline:	wevtutil cl Security
Imagebase:	0x76eb0000
File size:	175616 bytes
MD5 hash:	81538B795F922B8DA6FD897EFB04B5EE
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 3836 Parent PID: 3464

General

Start time:	10:36:02
Start date:	25/10/2017
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c schtasks /Delete /F /TN drogon
Imagebase:	0x77390000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: wevtutil.exe PID: 3844 Parent PID: 3656

General

Start time:	10:36:02
Start date:	25/10/2017
Path:	C:\Windows\System32\wevtutil.exe
Wow64 process (32bit):	false
Commandline:	wevtutil cl Application
Imagebase:	0x76eb0000
File size:	175616 bytes
MD5 hash:	81538B795F922B8DA6FD897EFB04B5EE
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: LogonUI.exe PID: 3900 Parent PID: 348

General

Start time:	10:36:02
Start date:	25/10/2017
Path:	C:\Windows\System32\LogonUI.exe
Wow64 process (32bit):	false
Commandline:	'LogonUI.exe' /flags:0x0
Imagebase:	0x74a40000
File size:	10752 bytes
MD5 hash:	3EF0D8AB08385AAB5802E773511A2E6A
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 3928 Parent PID: 3836

General

Start time:	10:36:04
Start date:	25/10/2017
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):
Commandline:	unknown
Imagebase:
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: fsutil.exe PID: 3976 Parent PID: 3656

General

Start time:	10:36:04
Start date:	25/10/2017
Path:	C:\Windows\System32\fsutil.exe
Wow64 process (32bit):
Commandline:	unknown
Imagebase:
File size:	74240 bytes
MD5 hash:	B4834F08230A2EB7F498DE4E5B6AB814
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: i0YxTJ2SO.exe PID: 3432 Parent PID: 3020

Execution Graph

Execution Coverage:	4.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7%
Total number of Nodes:	86
Total number of Limit Nodes:	13

Executed Functions

Function 003E1690, Relevance: 1.3, Strings: 1, Instructions: 54

Strings

1.2.8, xrefs: 003E16BE

Memory Dump Source

Source File: 00000001.00000002.391333230.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000001.00000002.391307710.003E0000.00000002.sdmp
Associated: 00000001.00000002.391369465.003E4000.00000002.sdmp
Associated: 00000001.00000002.391411778.003E8000.00000004.sdmp
Associated: 00000001.00000002.391460513.003E9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3e0000_i0YxTJ2SO.jbxd

Function 003E12C0, Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 138

APIs

GetCommandLineW.KERNEL32 ref: 003E12DF
GetCommandLineW.KERNEL32 ref: 003E12FC
CommandLineToArgvW.SHELL32(00000000), ref: 003E12FF
wcsstr.MSVCRT ref: 003E133D
GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 003E139B
lstrcatW.KERNEL32(?,\rundll32.exe), ref: 003E13B5

Part of subcall function 003E10C0: GetModuleHandleW.KERNEL32(00000000,?,0000030C,?), ref: 003E10F8
Part of subcall function 003E10C0: GetModuleFileNameW.KERNEL32(00000000), ref: 003E10FF
Part of subcall function 003E10C0: GetProcessHeap.KERNEL32(00000000,?,?,00000000,?,?), ref: 003E1172
Part of subcall function 003E10C0: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,?), ref: 003E1179
Part of subcall function 003E10C0: memcpy.MSVCRT ref: 003E1192
Part of subcall function 003E10C0: GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,?), ref: 003E11BB
Part of subcall function 003E10C0: RtlAllocateHeap.NTDLL(00000000), ref: 003E11BE
Part of subcall function 003E10C0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 003E1207
Part of subcall function 003E10C0: HeapFree.KERNEL32(00000000), ref: 003E120A

Part of subcall function 003E1260: CreateFileW.KERNEL32(C:\Windows\infpub.dat,40000000,00000000,00000000,00000002,00000000,00000000), ref: 003E1277
Part of subcall function 003E1260: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 003E128F
Part of subcall function 003E1260: CloseHandle.KERNEL32(00000000), ref: 003E12A4

wsprintfW.USER32 ref: 003E1418
CreateProcessW.KERNEL32 ref: 003E1479
ExitProcess.KERNEL32 ref: 003E1481

Part of subcall function 003E1499: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 003E1566
Part of subcall function 003E1499: UnhandledExceptionFilter.KERNEL32(003E4080), ref: 003E1571
Part of subcall function 003E1499: GetCurrentProcess.KERNEL32(C0000409), ref: 003E157C
Part of subcall function 003E1499: TerminateProcess.KERNEL32(00000000), ref: 003E1583

Strings

infpub.dat, xrefs: 003E1400
%ws C:\Windows\%ws,#1 %ws, xrefs: 003E1412
\rundll32.exe, xrefs: 003E13A9
D, xrefs: 003E146F

Memory Dump Source

Source File: 00000001.00000002.391333230.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000001.00000002.391307710.003E0000.00000002.sdmp
Associated: 00000001.00000002.391369465.003E4000.00000002.sdmp
Associated: 00000001.00000002.391411778.003E8000.00000004.sdmp
Associated: 00000001.00000002.391460513.003E9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3e0000_i0YxTJ2SO.jbxd

Function 003E10C0, Relevance: 13.6, APIs: 9, Instructions: 133

APIs

GetModuleHandleW.KERNEL32(00000000,?,0000030C,?), ref: 003E10F8
GetModuleFileNameW.KERNEL32(00000000), ref: 003E10FF
GetProcessHeap.KERNEL32(00000000,?,?,00000000,?,?), ref: 003E1172
RtlAllocateHeap.NTDLL(00000000,?,00000000,?,?), ref: 003E1179
memcpy.MSVCRT ref: 003E1192
GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,?), ref: 003E11BB
RtlAllocateHeap.NTDLL(00000000), ref: 003E11BE
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003E1207
HeapFree.KERNEL32(00000000), ref: 003E120A

Part of subcall function 003E1499: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 003E1566
Part of subcall function 003E1499: UnhandledExceptionFilter.KERNEL32(003E4080), ref: 003E1571
Part of subcall function 003E1499: GetCurrentProcess.KERNEL32(C0000409), ref: 003E157C
Part of subcall function 003E1499: TerminateProcess.KERNEL32(00000000), ref: 003E1583

Part of subcall function 003E1000: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003E101A
Part of subcall function 003E1000: GetFileSize.KERNEL32(00000000,00000000,?,?,?), ref: 003E102D
Part of subcall function 003E1000: GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,?,?), ref: 003E103D
Part of subcall function 003E1000: RtlAllocateHeap.NTDLL(00000000,?,?,?), ref: 003E1044
Part of subcall function 003E1000: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 003E1060
Part of subcall function 003E1000: GetProcessHeap.KERNEL32(00000000,00000000,?,?), ref: 003E1071
Part of subcall function 003E1000: HeapFree.KERNEL32(00000000,?,?), ref: 003E1078
Part of subcall function 003E1000: CloseHandle.KERNEL32(00000000), ref: 003E1080
Part of subcall function 003E1000: CloseHandle.KERNEL32(00000000), ref: 003E10A4

Memory Dump Source

Source File: 00000001.00000002.391333230.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000001.00000002.391307710.003E0000.00000002.sdmp
Associated: 00000001.00000002.391369465.003E4000.00000002.sdmp
Associated: 00000001.00000002.391411778.003E8000.00000004.sdmp
Associated: 00000001.00000002.391460513.003E9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3e0000_i0YxTJ2SO.jbxd

Function 003E1000, Relevance: 13.6, APIs: 9, Instructions: 79

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003E101A
GetFileSize.KERNEL32(00000000,00000000,?,?,?), ref: 003E102D
GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,?,?), ref: 003E103D
RtlAllocateHeap.NTDLL(00000000,?,?,?), ref: 003E1044
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 003E1060
GetProcessHeap.KERNEL32(00000000,00000000,?,?), ref: 003E1071
HeapFree.KERNEL32(00000000,?,?), ref: 003E1078
CloseHandle.KERNEL32(00000000), ref: 003E1080
CloseHandle.KERNEL32(00000000), ref: 003E10A4

Memory Dump Source

Source File: 00000001.00000002.391333230.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000001.00000002.391307710.003E0000.00000002.sdmp
Associated: 00000001.00000002.391369465.003E4000.00000002.sdmp
Associated: 00000001.00000002.391411778.003E8000.00000004.sdmp
Associated: 00000001.00000002.391460513.003E9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3e0000_i0YxTJ2SO.jbxd

Function 003E1260, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36

APIs

CreateFileW.KERNEL32(C:\Windows\infpub.dat,40000000,00000000,00000000,00000002,00000000,00000000), ref: 003E1277
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 003E128F
CloseHandle.KERNEL32(00000000), ref: 003E12A4

Strings

C:\Windows\infpub.dat, xrefs: 003E1272

Memory Dump Source

Source File: 00000001.00000002.391333230.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000001.00000002.391307710.003E0000.00000002.sdmp
Associated: 00000001.00000002.391369465.003E4000.00000002.sdmp
Associated: 00000001.00000002.391411778.003E8000.00000004.sdmp
Associated: 00000001.00000002.391460513.003E9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3e0000_i0YxTJ2SO.jbxd

Function 003E3393, Relevance: 1.3, APIs: 1, Instructions: 9

APIs

malloc.MSVCRT ref: 003E339E

Memory Dump Source

Source File: 00000001.00000002.391333230.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000001.00000002.391307710.003E0000.00000002.sdmp
Associated: 00000001.00000002.391369465.003E4000.00000002.sdmp
Associated: 00000001.00000002.391411778.003E8000.00000004.sdmp
Associated: 00000001.00000002.391460513.003E9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3e0000_i0YxTJ2SO.jbxd

Non-executed Functions

Function 003E1499, Relevance: 6.0, APIs: 4, Instructions: 48

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 003E1566
UnhandledExceptionFilter.KERNEL32(003E4080), ref: 003E1571
GetCurrentProcess.KERNEL32(C0000409), ref: 003E157C
TerminateProcess.KERNEL32(00000000), ref: 003E1583

Memory Dump Source

Source File: 00000001.00000002.391333230.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000001.00000002.391307710.003E0000.00000002.sdmp
Associated: 00000001.00000002.391369465.003E4000.00000002.sdmp
Associated: 00000001.00000002.391411778.003E8000.00000004.sdmp
Associated: 00000001.00000002.391460513.003E9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3e0000_i0YxTJ2SO.jbxd

Analysis Process: rundll32.exe PID: 3464 Parent PID: 3432

Execution Graph

Execution Coverage:	22.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	23.9%
Total number of Nodes:	1420
Total number of Limit Nodes:	13

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Signature Overview

Cryptography:

Spam, unwanted Advertisements and Ransom Demands:

Exploits:

Networking:

Boot Survival:

Persistence and Installation Behavior:

Data Obfuscation:

Spreading:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection:

Language, Device and Operating System Detection:

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Domains

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Screenshot

Startup

Created / dropped Files

Contacted Domains/Contacted IPs

Contacted Domains

Contacted IPs

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: i0YxTJ2SO.exe PID: 3432 Parent PID: 3020

General

Analysis Process: rundll32.exe PID: 3464 Parent PID: 3432

General

Analysis Process: cmd.exe PID: 3476 Parent PID: 3464

General