Windows Analysis Report
GOmRjFSKNz.exe

Overview

General Information

Sample name: GOmRjFSKNz.exe
renamed because original name is a hash value
Original sample name: bc37b8380183870ec6acd56886f3ef4537bf63c71935a094307875e03b0d2bb5.exe
Analysis ID: 1534173
MD5: 01ef5f0617d6cb995abe430c3c6c7acd
SHA1: 9d6cee782bce7762f58f2bf6c1c38218491e9f94
SHA256: bc37b8380183870ec6acd56886f3ef4537bf63c71935a094307875e03b0d2bb5
Tags: 87-120-114-39exeuser-JAMESWT_MHT
Infos:

Detection

RedLine
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Yara detected RedLine Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Drops PE files with a suspicious file extension
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Installs new ROOT certificates
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops certificate files (DER)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

AV Detection
barindex
Found malware configuration
Source: 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: RedLine {"C2 url": "87.120.114.39:47928", "Bot Id": "new", "Authorization Header": "4484cd46611513b45d351e0b5010e5bb"}
Multi AV Scanner detection for submitted file
Source: GOmRjFSKNz.exe ReversingLabs: Detection: 34%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.5% probability
Uses 32bit PE files
Source: GOmRjFSKNz.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: GOmRjFSKNz.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb8 source: RegAsm.exe, 00000010.00000002.3032787620.0000000000962000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: RegAsm.exe, 00000010.00000002.3034584358.0000000005EF2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: nHC:\Windows\System.ServiceModel.pdbpdbdel.pdb source: RegAsm.exe, 00000010.00000002.3032392433.00000000006F7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: RegAsm.pdb source: Launches.pif, 0000000A.00000003.2823843249.0000000004418000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000000.2826358198.0000000000262000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe.10.dr
Source: Binary string: C:\Windows\System.ServiceModel.pdb source: RegAsm.exe, 00000010.00000002.3032392433.00000000006F7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: RegAsm.pdb4 source: Launches.pif, 0000000A.00000003.2823843249.0000000004418000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000000.2826358198.0000000000262000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe.10.dr
Source: Binary string: System.ServiceModel.pdb source: RegAsm.exe, 00000010.00000002.3032787620.00000000009FC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: RegAsm.exe, 00000010.00000002.3032787620.0000000000962000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Code function: 0_2_004062D5 FindFirstFileW,FindClose, 0_2_004062D5
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Code function: 0_2_00402E18 FindFirstFileW, 0_2_00402E18
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007A4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 10_2_007A4005
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007A494A GetFileAttributesW,FindFirstFileW,FindClose, 10_2_007A494A
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007A3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 10_2_007A3CE2
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007AC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 10_2_007AC2FF
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007ACD14 FindFirstFileW,FindClose, 10_2_007ACD14
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007ACD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 10_2_007ACD9F
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007AF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 10_2_007AF5D8
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007AF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 10_2_007AF735
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007AFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 10_2_007AFA36
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\72076\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\72076 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 87.120.114.39:47928
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 87.120.114.39 ports 47928,2,4,7,8,9
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:50002 -> 87.120.114.39:47928
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: GRfewLDzqhRQJfpDiaidRNex.GRfewLDzqhRQJfpDiaidRNex replaycode: Name error (3)
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.114.39
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.114.39
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.114.39
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.114.39
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.114.39
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007B29BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile, 10_2_007B29BA
Source: global traffic DNS traffic detected: DNS query: GRfewLDzqhRQJfpDiaidRNex.GRfewLDzqhRQJfpDiaidRNex
Source: GOmRjFSKNz.exe, 00000000.00000003.1781635044.0000000002886000.00000004.00000020.00020000.00000000.sdmp, Carol.0.dr, Launches.pif.1.dr String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: GOmRjFSKNz.exe, 00000000.00000003.1781635044.0000000002886000.00000004.00000020.00020000.00000000.sdmp, Carol.0.dr, Launches.pif.1.dr String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: GOmRjFSKNz.exe, 00000000.00000003.1781635044.0000000002886000.00000004.00000020.00020000.00000000.sdmp, Carol.0.dr, Launches.pif.1.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: GOmRjFSKNz.exe, 00000000.00000003.1781635044.0000000002886000.00000004.00000020.00020000.00000000.sdmp, Carol.0.dr, Launches.pif.1.dr String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: GOmRjFSKNz.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: GOmRjFSKNz.exe, 00000000.00000003.1781635044.0000000002886000.00000004.00000020.00020000.00000000.sdmp, Carol.0.dr, Launches.pif.1.dr String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: GOmRjFSKNz.exe, 00000000.00000003.1781635044.0000000002886000.00000004.00000020.00020000.00000000.sdmp, Carol.0.dr, Launches.pif.1.dr String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: GOmRjFSKNz.exe, 00000000.00000003.1781635044.0000000002886000.00000004.00000020.00020000.00000000.sdmp, Carol.0.dr, Launches.pif.1.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: GOmRjFSKNz.exe, 00000000.00000003.1781635044.0000000002886000.00000004.00000020.00020000.00000000.sdmp, Carol.0.dr, Launches.pif.1.dr String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: GOmRjFSKNz.exe, 00000000.00000003.1781635044.0000000002886000.00000004.00000020.00020000.00000000.sdmp, Carol.0.dr, Launches.pif.1.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10LRfq
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10Responsex
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11LRfq
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11Responsex
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12LRfq
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12Responsex
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13LRfq
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13Responsex
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14LRfq
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14Responsex
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15LRfqx/j
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15Responsex
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16LRfq
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16Responsex
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17LRfq
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17Responsex
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18LRfq
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18Responsex
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19LRfq
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19Responsex
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1LRfq4
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1Responsex
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20LRfq
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20Responsex
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21LRfqduj
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21Responsex
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22LRfq
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22Responsex
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23LRfq
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23Responsex
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24LRfq
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24Responsex
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2LRfq
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2Responsex
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3LRfq
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3Responsex
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4LRfq
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4Responsex
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5LRfq
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5Responsex
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6LRfq
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6Responsex
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7LRfqx
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7Responsex
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8LRfq
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8Responsex
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9LRfq
Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9Responsex
Source: GOmRjFSKNz.exe, 00000000.00000003.1781635044.0000000002886000.00000004.00000020.00020000.00000000.sdmp, Launches.pif, 0000000A.00000000.1818602986.0000000000809000.00000002.00000001.01000000.00000006.sdmp, Carol.0.dr, Launches.pif.1.dr String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: Launches.pif, 0000000A.00000003.2825065700.0000000001DDD000.00000004.00000800.00020000.00000000.sdmp, Launches.pif, 0000000A.00000003.2833770879.0000000001F91000.00000004.00000800.00020000.00000000.sdmp, Launches.pif, 0000000A.00000003.2825546542.000000000519F000.00000004.00000800.00020000.00000000.sdmp, Launches.pif, 0000000A.00000003.2825688213.0000000001E5B000.00000004.00000800.00020000.00000000.sdmp, Launches.pif, 0000000A.00000003.2882687318.0000000001DD3000.00000004.00000800.00020000.00000000.sdmp, Launches.pif, 0000000A.00000003.2882687318.0000000001D91000.00000004.00000800.00020000.00000000.sdmp, Launches.pif, 0000000A.00000003.2833826824.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Launches.pif, 0000000A.00000003.2884666788.0000000001DDC000.00000004.00000800.00020000.00000000.sdmp, Launches.pif, 0000000A.00000003.2833895594.0000000004418000.00000004.00000800.00020000.00000000.sdmp, Launches.pif, 0000000A.00000003.2884574282.0000000001E5C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3032255109.0000000000342000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/ip
Source: GOmRjFSKNz.exe, 00000000.00000003.1781635044.0000000002886000.00000004.00000020.00020000.00000000.sdmp, Carol.0.dr, Launches.pif.1.dr String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Launches.pif.1.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: GOmRjFSKNz.exe, 00000000.00000003.1781635044.0000000002886000.00000004.00000020.00020000.00000000.sdmp, Carol.0.dr, Launches.pif.1.dr String found in binary or memory: https://www.globalsign.com/repository/06
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Code function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004050CD
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007B4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 10_2_007B4830
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007B4632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 10_2_007B4632
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Code function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004044A5
Potential key logger detected (key state polling based)
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007CD164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 10_2_007CD164
Drops certificate files (DER)
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe File created: C:\Users\user\AppData\Local\Temp\Tmp90E.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe File created: C:\Users\user\AppData\Local\Temp\Tmp93E.tmp Jump to dropped file
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007A4254: CreateFileW,DeviceIoControl,CloseHandle, 10_2_007A4254
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_00798F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 10_2_00798F2E
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Code function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx, 0_2_00403883
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007A5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 10_2_007A5778
Creates files inside the system directory
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe File created: C:\Windows\MississippiClinic Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Code function: 0_2_0040497C 0_2_0040497C
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Code function: 0_2_00406ED2 0_2_00406ED2
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Code function: 0_2_004074BB 0_2_004074BB
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_0074B020 10_2_0074B020
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007494E0 10_2_007494E0
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_00749C80 10_2_00749C80
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007623F5 10_2_007623F5
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007C8400 10_2_007C8400
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_00776502 10_2_00776502
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_0077265E 10_2_0077265E
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_0074E6F0 10_2_0074E6F0
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_0076282A 10_2_0076282A
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007789BF 10_2_007789BF
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_00776A74 10_2_00776A74
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007C0A3A 10_2_007C0A3A
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_00750BE0 10_2_00750BE0
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_0076CD51 10_2_0076CD51
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_0079EDB2 10_2_0079EDB2
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007A8E44 10_2_007A8E44
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007C0EB7 10_2_007C0EB7
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_00776FE6 10_2_00776FE6
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007633B7 10_2_007633B7
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_0075D45D 10_2_0075D45D
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_0076F409 10_2_0076F409
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_00741663 10_2_00741663
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_0075F628 10_2_0075F628
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007616B4 10_2_007616B4
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_0074F6A0 10_2_0074F6A0
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007678C3 10_2_007678C3
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_0076DBA5 10_2_0076DBA5
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_00761BA8 10_2_00761BA8
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_00779CE5 10_2_00779CE5
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_0075DD28 10_2_0075DD28
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_0076BFD6 10_2_0076BFD6
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_00761FC0 10_2_00761FC0
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Code function: 16_2_00BBDC74 16_2_00BBDC74
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Code function: 16_2_05DA67D8 16_2_05DA67D8
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Code function: 16_2_05DAA3E8 16_2_05DAA3E8
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Code function: 16_2_05DAA3D8 16_2_05DAA3D8
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Code function: 16_2_05DA6FF8 16_2_05DA6FF8
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Code function: 16_2_05DA6FE8 16_2_05DA6FE8
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\72076\Launches.pif D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Code function: String function: 004062A3 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: String function: 00768B30 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: String function: 00751A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: String function: 00760D17 appears 70 times
Sample file is different than original file name gathered from version info
Source: GOmRjFSKNz.exe, 00000000.00000003.1781635044.0000000002886000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAutoIt3.exeB vs GOmRjFSKNz.exe
Source: GOmRjFSKNz.exe, 00000000.00000003.1786608510.0000000000804000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exej% vs GOmRjFSKNz.exe
Source: GOmRjFSKNz.exe, 00000000.00000002.1787695654.0000000000804000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exej% vs GOmRjFSKNz.exe
Uses 32bit PE files
Source: GOmRjFSKNz.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.evad.winEXE@24/17@1/1
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007AA6AD GetLastError,FormatMessageW, 10_2_007AA6AD
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_00798DE9 AdjustTokenPrivileges,CloseHandle, 10_2_00798DE9
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_00799399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 10_2_00799399
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Code function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004044A5
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007A4148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 10_2_007A4148
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Code function: 0_2_004024FB CoCreateInstance, 0_2_004024FB
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007A443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx, 10_2_007A443D
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5900:120:WilError_03
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe File created: C:\Users\user\AppData\Local\Temp\nsl4E2F.tmp Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Pediatric Pediatric.bat & Pediatric.bat
Source: GOmRjFSKNz.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: GOmRjFSKNz.exe ReversingLabs: Detection: 34%
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe File read: C:\Users\user\Desktop\GOmRjFSKNz.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\GOmRjFSKNz.exe "C:\Users\user\Desktop\GOmRjFSKNz.exe"
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Pediatric Pediatric.bat & Pediatric.bat
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 72076
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "SILICONLATINOAMPLANDBLOW" Words
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Indoor + ..\An + ..\Transport + ..\Strap + ..\Passed + ..\Treasure s
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Launches.pif s
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Process created: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Pediatric Pediatric.bat & Pediatric.bat Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 72076 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "SILICONLATINOAMPLANDBLOW" Words Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Indoor + ..\An + ..\Transport + ..\Strap + ..\Passed + ..\Treasure s Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Launches.pif s Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Process created: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Section loaded: msvcp140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Section loaded: esdsip.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: Google Chrome.lnk.16.dr LNK file: ..\..\..\Program Files\Google\Chrome\Application\chrome.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: GOmRjFSKNz.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb8 source: RegAsm.exe, 00000010.00000002.3032787620.0000000000962000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: RegAsm.exe, 00000010.00000002.3034584358.0000000005EF2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: nHC:\Windows\System.ServiceModel.pdbpdbdel.pdb source: RegAsm.exe, 00000010.00000002.3032392433.00000000006F7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: RegAsm.pdb source: Launches.pif, 0000000A.00000003.2823843249.0000000004418000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000000.2826358198.0000000000262000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe.10.dr
Source: Binary string: C:\Windows\System.ServiceModel.pdb source: RegAsm.exe, 00000010.00000002.3032392433.00000000006F7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: RegAsm.pdb4 source: Launches.pif, 0000000A.00000003.2823843249.0000000004418000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000000.2826358198.0000000000262000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe.10.dr
Source: Binary string: System.ServiceModel.pdb source: RegAsm.exe, 00000010.00000002.3032787620.00000000009FC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: RegAsm.exe, 00000010.00000002.3032787620.0000000000962000.00000004.00000020.00020000.00000000.sdmp
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_004062FC
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_00768B75 push ecx; ret 10_2_00768B88
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_0075CBDB push eax; retf 10_2_0075CBF8
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_0075CC06 push eax; retf 10_2_0075CBF8
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Code function: 16_2_05DAD413 push es; ret 16_2_05DAD420
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Code function: 16_2_05DAC711 push es; ret 16_2_05DAC720
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Code function: 16_2_05DA804D push ecx; iretd 16_2_05DA8052
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Code function: 16_2_05DAECF2 push eax; ret 16_2_05DAED01
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Code function: 16_2_05DA49AB push FFFFFF8Bh; retf 16_2_05DA49AD
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Code function: 16_2_05DA3B4F push dword ptr [esp+ecx*2-75h]; ret 16_2_05DA3B53

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Jump to dropped file
Installs new ROOT certificates
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob Jump to behavior
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif File created: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Jump to dropped file
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007C59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 10_2_007C59B3
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_00755EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 10_2_00755EDA
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007633B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 10_2_007633B7
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Memory allocated: BB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Memory allocated: 2600000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Memory allocated: 4600000 memory reserve | memory write watch Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif API coverage: 4.8 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Code function: 0_2_004062D5 FindFirstFileW,FindClose, 0_2_004062D5
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Code function: 0_2_00402E18 FindFirstFileW, 0_2_00402E18
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007A4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 10_2_007A4005
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007A494A GetFileAttributesW,FindFirstFileW,FindClose, 10_2_007A494A
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007A3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 10_2_007A3CE2
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007AC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 10_2_007AC2FF
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007ACD14 FindFirstFileW,FindClose, 10_2_007ACD14
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007ACD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 10_2_007ACD9F
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007AF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 10_2_007AF5D8
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007AF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 10_2_007AF735
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007AFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 10_2_007AFA36
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_00755D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 10_2_00755D13
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\72076\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\72076 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: Launches.pif, 0000000A.00000002.2895968083.0000000001D7A000.00000004.00000020.00020000.00000000.sdmp, Launches.pif, 0000000A.00000003.2894423586.0000000001D79000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllG
Source: RegAsm.exe, 00000010.00000002.3034584358.0000000005F25000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Found API chain indicative of debugger detection
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007B45D5 BlockInput, 10_2_007B45D5
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_00755240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 10_2_00755240
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_00775CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 10_2_00775CAC
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_004062FC
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007988CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 10_2_007988CD
Enables debug privileges
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_0076A354 SetUnhandledExceptionFilter, 10_2_0076A354
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_0076A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_0076A385
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Memory written: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe base: 340000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Memory written: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe base: 340000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Memory written: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe base: 449000 Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_00799369 LogonUserW, 10_2_00799369
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_00755240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 10_2_00755240
Contains functionality to simulate keystroke presses
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007A1AC6 SendInput,keybd_event, 10_2_007A1AC6
Contains functionality to simulate mouse events
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007A51E2 mouse_event, 10_2_007A51E2
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Pediatric Pediatric.bat & Pediatric.bat Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 72076 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "SILICONLATINOAMPLANDBLOW" Words Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Indoor + ..\An + ..\Transport + ..\Strap + ..\Passed + ..\Treasure s Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Launches.pif s Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Process created: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007988CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 10_2_007988CD
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007A4F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 10_2_007A4F1C
Source: GOmRjFSKNz.exe, 00000000.00000003.1781635044.0000000002878000.00000004.00000020.00020000.00000000.sdmp, Launches.pif, 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmp, Carol.0.dr, Launches.pif.1.dr Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Launches.pif Binary or memory string: Shell_TrayWnd
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_0076885B cpuid 10_2_0076885B
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Queries volume information: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_00780030 GetLocalTime,__swprintf, 10_2_00780030
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_00780722 GetUserNameW, 10_2_00780722
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_0077416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 10_2_0077416A
Source: C:\Users\user\Desktop\GOmRjFSKNz.exe Code function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW, 0_2_00406805
Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RedLine Stealer
Source: Yara match File source: 10.3.Launches.pif.1ddc050.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RegAsm.exe.340000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.Launches.pif.1ddc050.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000003.2825546542.000000000519F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2833770879.0000000001F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2825065700.0000000001DDD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2825688213.0000000001E5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2824672801.0000000001E5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2882687318.0000000001DD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3032255109.0000000000342000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2882687318.0000000001D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2825305490.0000000001D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2825305490.0000000001DD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2833826824.000000000449B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2884666788.0000000001DDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2825915690.0000000001F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2833895594.0000000004418000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2884370254.0000000001F02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2884574282.0000000001E5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Launches.pif PID: 4296, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 1144, type: MEMORYSTR
OS version to string mapping found (often used in BOTs)
Source: Launches.pif Binary or memory string: WIN_81
Source: Launches.pif Binary or memory string: WIN_XP
Source: Launches.pif Binary or memory string: WIN_XPe
Source: Launches.pif Binary or memory string: WIN_VISTA
Source: Launches.pif Binary or memory string: WIN_7
Source: Launches.pif Binary or memory string: WIN_8
Source: Launches.pif.1.dr Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 3USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality
barindex
Yara detected RedLine Stealer
Source: Yara match File source: 10.3.Launches.pif.1ddc050.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.RegAsm.exe.340000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.Launches.pif.1ddc050.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000003.2825546542.000000000519F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2833770879.0000000001F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2825065700.0000000001DDD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2825688213.0000000001E5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2824672801.0000000001E5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2882687318.0000000001DD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3032255109.0000000000342000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2882687318.0000000001D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2825305490.0000000001D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2825305490.0000000001DD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2833826824.000000000449B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2884666788.0000000001DDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2825915690.0000000001F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2833895594.0000000004418000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2884370254.0000000001F02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2884574282.0000000001E5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Launches.pif PID: 4296, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 1144, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007B696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 10_2_007B696E
Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Code function: 10_2_007B6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 10_2_007B6E32
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1534173 Sample: GOmRjFSKNz.exe Startdate: 15/10/2024 Architecture: WINDOWS Score: 100 33 GRfewLDzqhRQJfpDiaidRNex.GRfewLDzqhRQJfpDiaidRNex 2->33 43 Found malware configuration 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected RedLine Stealer 2->47 49 5 other signatures 2->49 9 GOmRjFSKNz.exe 18 2->9         started        signatures3 process4 process5 11 cmd.exe 2 9->11         started        file6 29 C:\Users\user\AppData\Local\...\Launches.pif, PE32 11->29 dropped 53 Drops PE files with a suspicious file extension 11->53 15 Launches.pif 1 11->15         started        19 cmd.exe 2 11->19         started        21 conhost.exe 11->21         started        23 7 other processes 11->23 signatures7 process8 file9 31 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 15->31 dropped 37 Found API chain indicative of debugger detection 15->37 39 Writes to foreign memory regions 15->39 41 Injects a PE file into a foreign processes 15->41 25 RegAsm.exe 1 18 15->25         started        signatures10 process11 dnsIp12 35 87.120.114.39, 47928, 50002 UNACS-AS-BG8000BurgasBG Bulgaria 25->35 51 Installs new ROOT certificates 25->51 signatures13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
87.120.114.39
 unknown Bulgaria
25206 UNACS-AS-BG8000BurgasBG true

Contacted Domains

Name IP Active
GRfewLDzqhRQJfpDiaidRNex.GRfewLDzqhRQJfpDiaidRNex unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
87.120.114.39:47928 true
    		unknown