Windows Analysis Report
2IVWAPeiZm.exe

Overview

General Information

Sample name: 2IVWAPeiZm.exe
renamed because original name is a hash value
Original sample name: 06592a8ca068935d98a5ada152e3393d.exe
Analysis ID: 1467970
MD5: 06592a8ca068935d98a5ada152e3393d
SHA1: 41adfa7ad17a0842b62b227b37ea4778fe7d247d
SHA256: acce6a3f4a8de7b556e74279744466adf4ec318a9fc03c639cdbc7f47c60da0d
Tags: 64exetrojan
Infos:

Detection

GhostRat
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected GhostRat
AI detected suspicious sample
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking mutex)
Found stalling execution ending in API Sleep call
AV process strings found (often used to terminate AV products)
Checks for available system drives (often done to infect USB drives)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (may stop execution after accessing registry keys)
Installs a global mouse hook
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
Sample file is different than original file name gathered from version info
Sigma detected: Communication To Uncommon Destination Ports
Stores large binary data to the registry
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 2IVWAPeiZm.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: 2IVWAPeiZm.exe ReversingLabs: Detection: 57%
Source: 2IVWAPeiZm.exe Virustotal: Detection: 59% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: 2IVWAPeiZm.exe, 00000000.00000002.4113640461.00007FF6F636B000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_4652869d-6
Source: unknown HTTPS traffic detected: 159.75.57.35:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: 2IVWAPeiZm.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\rgweq\Desktop\@7\ssp\x64\Release\ssp.pdb%% source: 2IVWAPeiZm.exe, 00000000.00000002.4113640461.00007FF6F6081000.00000040.00000001.01000000.00000003.sdmp
Source: Binary string: C:\Users\rgweq\Desktop\@7\ssp\x64\Release\ssp.pdb source: 2IVWAPeiZm.exe, 2IVWAPeiZm.exe, 00000000.00000002.4113640461.00007FF6F6081000.00000040.00000001.01000000.00000003.sdmp
Source: Binary string: .pdb7 source: 2IVWAPeiZm.exe
Source: Binary string: F:\SDKUPDATE\online_win\targets\win32\msc_lua\Release\msc.pdb source: 2IVWAPeiZm.exe, 00000000.00000002.4113640461.00007FF6F636B000.00000040.00000001.01000000.00000003.sdmp
Checks for available system drives (often done to infect USB drives)
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe File opened: z: Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe File opened: x: Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe File opened: v: Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe File opened: t: Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe File opened: r: Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe File opened: p: Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe File opened: n: Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe File opened: l: Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe File opened: j: Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe File opened: h: Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe File opened: f: Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe File opened: b: Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe File opened: y: Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe File opened: w: Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe File opened: u: Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe File opened: s: Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe File opened: q: Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe File opened: o: Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe File opened: m: Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe File opened: k: Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe File opened: i: Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe File opened: g: Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe File opened: e: Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe File opened: [: Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB96098C0 GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,lstrcpyW,lstrcpyW,lstrcatW, 0_2_000001CFB96098C0

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2052875 ET TROJAN Anonymous RAT CnC Checkin 192.168.2.4:49731 -> 206.238.115.146:6666
Source: Traffic Snort IDS: 2052875 ET TROJAN Anonymous RAT CnC Checkin 192.168.2.4:49732 -> 206.238.115.146:6666
Source: Traffic Snort IDS: 2052875 ET TROJAN Anonymous RAT CnC Checkin 192.168.2.4:49741 -> 206.238.115.146:6666
Source: Traffic Snort IDS: 2052875 ET TROJAN Anonymous RAT CnC Checkin 192.168.2.4:49744 -> 206.238.115.146:8888
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 206.238.115.146:6666
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: COGENT-174US COGENT-174US
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: unknown TCP traffic detected without corresponding DNS query: 206.238.115.146
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB9603680 select,recv,_errno,_errno,_errno, 0_2_000001CFB9603680
Source: global traffic HTTP traffic detected: GET /any.png HTTP/1.1User-Agent: WinINetDownloaderHost: pattern-1326658104.cos.ap-guangzhou.myqcloud.comCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: pattern-1326658104.cos.ap-guangzhou.myqcloud.com
Source: 2IVWAPeiZm.exe, 00000000.00000002.4113640461.00007FF6F636B000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.wofficebox.com/
Source: 2IVWAPeiZm.exe, 00000000.00000002.4111407796.000001CFB747C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pattern-1326658104.cos.ap-guangzhou.myqcloud.com/
Source: 2IVWAPeiZm.exe, 2IVWAPeiZm.exe, 00000000.00000002.4111407796.000001CFB74CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pattern-1326658104.cos.ap-guangzhou.myqcloud.com/any.png
Source: 2IVWAPeiZm.exe, 00000000.00000002.4113640461.00007FF6F6081000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://pattern-1326658104.cos.ap-guangzhou.myqcloud.com/any.pngvector
Source: 2IVWAPeiZm.exe, 00000000.00000002.4111407796.000001CFB747C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pattern-1326658104.cos.ap-guangzhou.myqcloud.com/eX
Source: 2IVWAPeiZm.exe, 00000000.00000002.4113640461.00007FF6F6089000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.innosetup.com/
Source: 2IVWAPeiZm.exe, 00000000.00000002.4113640461.00007FF6F6089000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.remobjects.com/ps
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown HTTPS traffic detected: 159.75.57.35:443 -> 192.168.2.4:49730 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to capture and log keystrokes
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: [esc] 0_2_000001CFB96111E0
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB96111E0 Sleep,GetTickCount,GetTickCount,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,GlobalUnlock,CloseClipboard,GetKeyState,lstrlenW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW, 0_2_000001CFB96111E0
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB96111E0 Sleep,GetTickCount,GetTickCount,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,GlobalUnlock,CloseClipboard,GetKeyState,lstrlenW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW, 0_2_000001CFB96111E0
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB960DD20 GetDesktopWindow,GetDC,CreateCompatibleDC,GetDC,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateCompatibleBitmap,SelectObject,SetStretchBltMode,GetSystemMetrics,GetSystemMetrics,StretchBlt,GetDIBits,DeleteObject,DeleteObject,ReleaseDC,DeleteObject,DeleteObject,ReleaseDC, 0_2_000001CFB960DD20
Creates a DirectInput object (often for capturing keystrokes)
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB9610DD0 SHGetFolderPathW,lstrcatW,CreateMutexW,WaitForSingleObject,CreateFileW,GetFileSize,CloseHandle,DeleteFileW,ReleaseMutex,DirectInput8Create,GetTickCount,GetKeyState, 0_2_000001CFB9610DD0
Installs a global mouse hook
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Windows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dll Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: sslproxydump.pcap, type: PCAP Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.4112008325.000001CFB9300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.4111676483.000001CFB9200000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\any[1].png, type: DROPPED Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: C:\Users\Public\Pictures\any.png, type: DROPPED Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Contains functionality to call native functions
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB9313495 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtUnmapViewOfSection,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect, 0_2_000001CFB9313495
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB960D1D7 ExitProcess,ExitWindowsEx, 0_2_000001CFB960D1D7
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB960D228 ExitWindowsEx, 0_2_000001CFB960D228
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB960D207 ExitWindowsEx, 0_2_000001CFB960D207
Detected potential crypto function
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB96188E0 0_2_000001CFB96188E0
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB9603380 0_2_000001CFB9603380
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB9607510 0_2_000001CFB9607510
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB960DD20 0_2_000001CFB960DD20
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB9608440 0_2_000001CFB9608440
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB96067B0 0_2_000001CFB96067B0
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB96107A0 0_2_000001CFB96107A0
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB9605950 0_2_000001CFB9605950
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB96249A4 0_2_000001CFB96249A4
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB9602850 0_2_000001CFB9602850
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB9622864 0_2_000001CFB9622864
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB960E8D0 0_2_000001CFB960E8D0
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB96150CC 0_2_000001CFB96150CC
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB961987C 0_2_000001CFB961987C
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB961934C 0_2_000001CFB961934C
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB960A310 0_2_000001CFB960A310
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB960B300 0_2_000001CFB960B300
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB9603BD0 0_2_000001CFB9603BD0
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB96093C0 0_2_000001CFB96093C0
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB9612ABC 0_2_000001CFB9612ABC
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB9618D60 0_2_000001CFB9618D60
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB962154C 0_2_000001CFB962154C
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB9610DD0 0_2_000001CFB9610DD0
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB96095B0 0_2_000001CFB96095B0
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB9621DB0 0_2_000001CFB9621DB0
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB9615C80 0_2_000001CFB9615C80
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB961FC80 0_2_000001CFB961FC80
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB961B734 0_2_000001CFB961B734
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB96146F0 0_2_000001CFB96146F0
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB960E660 0_2_000001CFB960E660
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB9617E34 0_2_000001CFB9617E34
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB9608E20 0_2_000001CFB9608E20
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_00007FF6F6081300 0_2_00007FF6F6081300
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB9313495 0_2_000001CFB9313495
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB9312C89 0_2_000001CFB9312C89
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB9311DAD 0_2_000001CFB9311DAD
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB9313065 0_2_000001CFB9313065
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB9313F49 0_2_000001CFB9313F49
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB9396860 0_2_000001CFB9396860
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB9393390 0_2_000001CFB9393390
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB93973D0 0_2_000001CFB93973D0
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB939E1C0 0_2_000001CFB939E1C0
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB93A6C50 0_2_000001CFB93A6C50
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB93A4898 0_2_000001CFB93A4898
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB9392880 0_2_000001CFB9392880
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB939A30C 0_2_000001CFB939A30C
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB9396F70 0_2_000001CFB9396F70
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB95BE131 0_2_000001CFB95BE131
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB95B88F1 0_2_000001CFB95B88F1
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB95C41C1 0_2_000001CFB95C41C1
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB95BADD1 0_2_000001CFB95BADD1
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB95C258D 0_2_000001CFB95C258D
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB95C8831 0_2_000001CFB95C8831
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB95BD7F1 0_2_000001CFB95BD7F1
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB95B5421 0_2_000001CFB95B5421
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB95B9081 0_2_000001CFB95B9081
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB95C08A1 0_2_000001CFB95C08A1
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB95B2321 0_2_000001CFB95B2321
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB95C83B1 0_2_000001CFB95C83B1
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB95B6FE1 0_2_000001CFB95B6FE1
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB95B2E51 0_2_000001CFB95B2E51
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB95CB205 0_2_000001CFB95CB205
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB95C8E1D 0_2_000001CFB95C8E1D
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB95B6281 0_2_000001CFB95B6281
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB95C0271 0_2_000001CFB95C0271
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB95B36A1 0_2_000001CFB95B36A1
PE file contains executable resources (Code or Archives)
Source: 2IVWAPeiZm.exe Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Sample file is different than original file name gathered from version info
Source: 2IVWAPeiZm.exe, 00000000.00000000.1655005973.00007FF6F7C50000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamessp.exe< vs 2IVWAPeiZm.exe
Source: 2IVWAPeiZm.exe, 00000000.00000002.4113640461.00007FF6F636B000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileName vs 2IVWAPeiZm.exe
Source: 2IVWAPeiZm.exe, 00000000.00000002.4113640461.00007FF6F636B000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamemsc.dll vs 2IVWAPeiZm.exe
Source: 2IVWAPeiZm.exe Binary or memory string: OriginalFilenamessp.exe< vs 2IVWAPeiZm.exe
Yara signature match
Source: sslproxydump.pcap, type: PCAP Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.4112008325.000001CFB9300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.4111676483.000001CFB9200000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\any[1].png, type: DROPPED Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: C:\Users\Public\Pictures\any.png, type: DROPPED Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 2IVWAPeiZm.exe, 00000000.00000002.4113640461.00007FF6F636B000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: ...Slnt
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@1/2@1/2
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB9608BE0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,OpenProcess, 0_2_000001CFB9608BE0
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB9609240 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle, 0_2_000001CFB9609240
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB9608D60 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges, 0_2_000001CFB9608D60
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB9608180 GetDriveTypeW,GetDiskFreeSpaceExW,GlobalMemoryStatusEx, 0_2_000001CFB9608180
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB9607420 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle, 0_2_000001CFB9607420
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB9607A90 CoInitialize,CoCreateInstance,SysFreeString,CoUninitialize, 0_2_000001CFB9607A90
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\any[1].png Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Mutant created: \Sessions\1\BaseNamedObjects\2024. 6.19
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 2IVWAPeiZm.exe ReversingLabs: Detection: 57%
Source: 2IVWAPeiZm.exe Virustotal: Detection: 59%
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: dinput8.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: inputhost.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: devenum.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: msdmo.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: 2IVWAPeiZm.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: 2IVWAPeiZm.exe Static file information: File size 11845632 > 1048576
Source: 2IVWAPeiZm.exe Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0xb31800
Source: 2IVWAPeiZm.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\rgweq\Desktop\@7\ssp\x64\Release\ssp.pdb%% source: 2IVWAPeiZm.exe, 00000000.00000002.4113640461.00007FF6F6081000.00000040.00000001.01000000.00000003.sdmp
Source: Binary string: C:\Users\rgweq\Desktop\@7\ssp\x64\Release\ssp.pdb source: 2IVWAPeiZm.exe, 2IVWAPeiZm.exe, 00000000.00000002.4113640461.00007FF6F6081000.00000040.00000001.01000000.00000003.sdmp
Source: Binary string: .pdb7 source: 2IVWAPeiZm.exe
Source: Binary string: F:\SDKUPDATE\online_win\targets\win32\msc_lua\Release\msc.pdb source: 2IVWAPeiZm.exe, 00000000.00000002.4113640461.00007FF6F636B000.00000040.00000001.01000000.00000003.sdmp
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB9608A70 LoadLibraryW,GetProcAddress,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,FreeLibrary, 0_2_000001CFB9608A70
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB96268D1 push rbp; retf 0_2_000001CFB96268D4
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB962C382 pushfq ; ret 0_2_000001CFB962C399
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB962A5EA push rsp; iretd 0_2_000001CFB962A5F9
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB93A5DBA push ebp; iretd 0_2_000001CFB93A5DC4
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB939B348 push esp; iretd 0_2_000001CFB939B349
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB95C8D95 pushfd ; ret 0_2_000001CFB95C8D96
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Contains functionality to clear windows event logs (to hide its activities)
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB960D17A OpenEventLogW,ClearEventLogW,CloseEventLog, 0_2_000001CFB960D17A
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Stores large binary data to the registry
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Key value created or modified: HKEY_CURRENT_USER\Console\1 d33f351a4aeea5e608853d1a56661059 Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Found stalling execution ending in API Sleep call
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Stalling execution: Execution stalls by calling Sleep
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Window / User API: threadDelayed 800 Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Window / User API: threadDelayed 3347 Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Window / User API: threadDelayed 5011 Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found evasive API chain (may stop execution after accessing registry keys)
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Evasive API call chain: RegQueryValue,DecisionNodes,Sleep
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe TID: 7376 Thread sleep count: 267 > 30 Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe TID: 7412 Thread sleep count: 800 > 30 Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe TID: 7412 Thread sleep time: -800000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe TID: 7420 Thread sleep count: 3347 > 30 Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe TID: 7420 Thread sleep time: -33470s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe TID: 7412 Thread sleep count: 5011 > 30 Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe TID: 7412 Thread sleep time: -5011000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB96098C0 GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,lstrcpyW,lstrcpyW,lstrcatW, 0_2_000001CFB96098C0
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB96089F0 GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo, 0_2_000001CFB96089F0
Source: 2IVWAPeiZm.exe, 00000000.00000002.4111407796.000001CFB74F5000.00000004.00000020.00020000.00000000.sdmp, 2IVWAPeiZm.exe, 00000000.00000002.4111407796.000001CFB747C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB96149D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_000001CFB96149D8
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB9608A70 LoadLibraryW,GetProcAddress,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,FreeLibrary, 0_2_000001CFB9608A70
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB9607BF0 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,LookupAccountSidW,GetLastError,GetProcessHeap,HeapFree, 0_2_000001CFB9607BF0
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB96107A0 Sleep,SleepEx,CloseHandle,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,EnumWindows,Sleep,EnumWindows,Sleep,CreateEventA,RegOpenKeyExW,Sleep,SleepEx,RegOpenKeyExW,RegQueryValueExW,Sleep,WaitForSingleObject,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep,CloseHandle, 0_2_000001CFB96107A0
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB96149D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_000001CFB96149D8
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB96118A0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_000001CFB96118A0
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_00007FF6F6085050 SetUnhandledExceptionFilter, 0_2_00007FF6F6085050
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_00007FF6F6084118 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF6F6084118
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_00007FF6F60842F8 SetUnhandledExceptionFilter, 0_2_00007FF6F60842F8

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB96095B0 GetSystemDirectoryA,CreateProcessA,VirtualAllocEx,WriteProcessMemory,GetThreadContext,SetThreadContext,ResumeThread, 0_2_000001CFB96095B0
Contains functionality to inject threads in other processes
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB9608E20 GetSystemDirectoryA,CreateProcessA,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread, 0_2_000001CFB9608E20
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe NtUnmapViewOfSection: Indirect: 0x1CFB9313B24 Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe NtMapViewOfSection: Indirect: 0x1CFB9313B90 Jump to behavior
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe NtMapViewOfSection: Indirect: 0x1CFB9313653 Jump to behavior
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: GetSystemDirectoryA,CreateProcessA,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\System32\svchost.exe 0_2_000001CFB9608E20
Source: 2IVWAPeiZm.exe, 00000000.00000002.4113072764.000001CFBA030000.00000004.00000020.00020000.00000000.sdmp, 2IVWAPeiZm.exe, 00000000.00000002.4113444705.000001CFBA432000.00000004.00000020.00020000.00000000.sdmp, 2IVWAPeiZm.exe, 00000000.00000003.3181505839.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: 2IVWAPeiZm.exe, 00000000.00000003.1797753089.000001CFBA0E5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Microsoft Basic Render Driver 0 5140 Microsoft Basic Render Driver 0 5140 Program Manager
Source: 2IVWAPeiZm.exe, 00000000.00000003.3900337582.000001CFBA070000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: .2.4 0 min724536Windows 10 Pro10.0.190454HDD:1WW 223 Gb Free 168 Gb Mem: 8 Gb Free2 Gb Microsoft Basic Render Driver 0 5140 Microsoft Basic Render Driver 0 5140 Program Manager
Source: 2IVWAPeiZm.exe, 00000000.00000003.3349240156.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, 2IVWAPeiZm.exe, 00000000.00000003.1797698380.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, 2IVWAPeiZm.exe, 00000000.00000003.3368874986.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: .2.4 0 min724536Windows 10 Pro10.0.190454HDD:1WW 223 Gb Free 168 Gb Mem: 8 Gb Free3 Gb Microsoft Basic Render Driver 0 5140 Microsoft Basic Render Driver 0 5140 Program Manager
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: gethostname,gethostbyname,inet_ntoa,inet_ntoa,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,GetTickCount,_localtime64,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW, 0_2_000001CFB96067B0
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: GetLocaleInfoW, 0_2_000001CFB9626190
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB96107A0 Sleep,SleepEx,CloseHandle,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,EnumWindows,Sleep,EnumWindows,Sleep,CreateEventA,RegOpenKeyExW,Sleep,SleepEx,RegOpenKeyExW,RegQueryValueExW,Sleep,WaitForSingleObject,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep,CloseHandle, 0_2_000001CFB96107A0
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB96188E0 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 0_2_000001CFB96188E0
Source: C:\Users\user\Desktop\2IVWAPeiZm.exe Code function: 0_2_000001CFB96142A8 HeapCreate,GetVersion,HeapSetInformation, 0_2_000001CFB96142A8
AV process strings found (often used to terminate AV products)
Source: 2IVWAPeiZm.exe Binary or memory string: acs.exe
Source: 2IVWAPeiZm.exe Binary or memory string: kxetray.exe
Source: 2IVWAPeiZm.exe Binary or memory string: avcenter.exe
Source: 2IVWAPeiZm.exe Binary or memory string: vsserv.exe
Source: 2IVWAPeiZm.exe Binary or memory string: KSafeTray.exe
Source: 2IVWAPeiZm.exe Binary or memory string: cfp.exe
Source: 2IVWAPeiZm.exe Binary or memory string: avp.exe
Source: 2IVWAPeiZm.exe Binary or memory string: 360Safe.exe
Source: 2IVWAPeiZm.exe Binary or memory string: 360tray.exe
Source: 2IVWAPeiZm.exe Binary or memory string: rtvscan.exe
Source: 2IVWAPeiZm.exe Binary or memory string: ashDisp.exe
Source: 2IVWAPeiZm.exe Binary or memory string: TMBMSRV.exe
Source: 2IVWAPeiZm.exe Binary or memory string: 360Tray.exe
Source: 2IVWAPeiZm.exe Binary or memory string: avgwdsvc.exe
Source: 2IVWAPeiZm.exe Binary or memory string: AYAgent.aye
Source: 2IVWAPeiZm.exe Binary or memory string: RavMonD.exe
Source: 2IVWAPeiZm.exe Binary or memory string: QUHLPSVC.EXE
Source: 2IVWAPeiZm.exe Binary or memory string: Mcshield.exe
Source: 2IVWAPeiZm.exe Binary or memory string: K7TSecurity.exe

Stealing of Sensitive Information
barindex
Yara detected GhostRat
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfba34ac51.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfb925162d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfba0e5bd1.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfb924647d.50.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.21.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfba385181.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfba432c61.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.42.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.26.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.39.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba031195.28.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.38.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfb923b8cd.32.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba031195.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.36.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.36.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba3f91b5.52.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba031195.28.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfb92413ed.41.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfb925162d.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfba0e5bd1.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.46.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.48.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba031195.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.33.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfb92170ad.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfb95b06d1.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.49.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba432c61.53.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.44.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.29.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.45.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba3f91b5.52.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfba385181.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfb94711a5.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.37.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.44.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0711a5.20.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.34.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.38.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.30.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba031195.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfba432c61.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.34.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba031195.35.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfb923764d.25.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfba310721.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfb9600000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfb9600000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.45.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfb925162d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfb924647d.50.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfb923764d.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.47.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.48.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.39.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfba34ac51.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfba3bec61.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.40.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.27.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.49.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.33.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.47.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0711a5.20.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfba0ab6a1.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0711a5.43.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfb925162d.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.40.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfb95b06d1.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfb94711a5.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.27.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfba0ab6a1.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfba3bec61.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba432c61.53.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.51.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.37.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.31.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfb923764d.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.51.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfba310721.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba031195.35.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.42.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfb9531116.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfb9531116.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba031195.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.29.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.31.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.46.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.30.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0711a5.43.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4112489647.000001CFB9530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2285778041.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2629266568.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3349240156.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3706740100.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3726196823.000001CFB9241000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1748764856.000001CFB924D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2820150176.000001CFB9237000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3368802529.000001CFB923B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1748942831.000001CFB9250000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3368874986.000001CFBA031000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3919845681.000001CFBA3F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2820582683.000001CFBA071000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1748764856.000001CFB9216000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1797698380.000001CFBA031000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3900454177.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1797698380.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3726241114.000001CFBA911000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3726279645.000001CFBA071000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3900337582.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2629229655.000001CFBA911000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2820366657.000001CFBA911000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3181430469.000001CFB9237000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4113444705.000001CFBA432000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3181505839.000001CFBA031000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3919777549.000001CFB9246000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2285716468.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4113319605.000001CFBA3BB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2629266568.000001CFBA031000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1925226889.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2453865521.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4113072764.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3919809789.000001CFBA911000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3006787705.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4112427817.000001CFB9470000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2453718670.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3535968647.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1925169796.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3181469055.000001CFBA911000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2107170872.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2629153864.000001CFB9237000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3368840828.000001CFBA911000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2107104468.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3368874986.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3181505839.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4113319605.000001CFBA310000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 2IVWAPeiZm.exe PID: 7272, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected GhostRat
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfba34ac51.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfb925162d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfba0e5bd1.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfb924647d.50.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.21.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfba385181.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfba432c61.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.42.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.26.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.39.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba031195.28.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.38.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfb923b8cd.32.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba031195.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.36.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.36.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba3f91b5.52.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba031195.28.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfb92413ed.41.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfb925162d.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfba0e5bd1.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.46.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.48.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba031195.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.33.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfb92170ad.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfb95b06d1.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.49.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba432c61.53.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.44.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.29.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.45.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba3f91b5.52.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfba385181.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfb94711a5.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.37.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.44.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0711a5.20.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.34.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.38.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.30.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba031195.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfba432c61.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.34.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba031195.35.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfb923764d.25.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfba310721.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfb9600000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfb9600000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.45.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfb925162d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfb924647d.50.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfb923764d.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.47.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.48.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.39.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfba34ac51.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfba3bec61.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.40.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.27.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.49.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.33.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.47.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0711a5.20.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfba0ab6a1.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0711a5.43.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfb925162d.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.40.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfb95b06d1.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfb94711a5.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.27.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfba0ab6a1.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfba3bec61.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba432c61.53.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.51.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.37.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.31.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfb923764d.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.51.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfba310721.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba031195.35.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba9111ed.42.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfb9531116.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2IVWAPeiZm.exe.1cfb9531116.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba031195.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.29.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.31.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0e5bd1.46.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.30.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0ab6a1.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.2IVWAPeiZm.exe.1cfba0711a5.43.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.4112601282.000001CFB95B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4112489647.000001CFB9530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2285778041.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2629266568.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3349240156.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3706740100.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3726196823.000001CFB9241000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1748764856.000001CFB924D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2820150176.000001CFB9237000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3368802529.000001CFB923B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1748942831.000001CFB9250000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3368874986.000001CFBA031000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3919845681.000001CFBA3F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2820582683.000001CFBA071000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1748764856.000001CFB9216000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1797698380.000001CFBA031000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3900454177.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1797698380.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3726241114.000001CFBA911000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3726279645.000001CFBA071000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3900337582.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2629229655.000001CFBA911000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2820366657.000001CFBA911000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3181430469.000001CFB9237000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4113444705.000001CFBA432000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3181505839.000001CFBA031000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3919777549.000001CFB9246000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2285716468.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4113319605.000001CFBA3BB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2629266568.000001CFBA031000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1925226889.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2453865521.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4113072764.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3919809789.000001CFBA911000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3006787705.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4112427817.000001CFB9470000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2453718670.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3535968647.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1925169796.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3181469055.000001CFBA911000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2107170872.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2629153864.000001CFB9237000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3368840828.000001CFBA911000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2107104468.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4112680827.000001CFB9600000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3368874986.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3181505839.000001CFBA0AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4113319605.000001CFBA310000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 2IVWAPeiZm.exe PID: 7272, type: MEMORYSTR
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
206.238.115.146
 unknown United States
174 COGENT-174US true
159.75.57.35
 gz.file.myqcloud.com China
1257 TELE2EU false

Contacted Domains

Name IP Active
gz.file.myqcloud.com 159.75.57.35 true
pattern-1326658104.cos.ap-guangzhou.myqcloud.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://pattern-1326658104.cos.ap-guangzhou.myqcloud.com/any.png false
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown