Windows Analysis Report
Qzo7rljbyQ.exe

Overview

General Information

Sample name:	Qzo7rljbyQ.exe renamed because original name is a hash value
Original sample name:	1ddbc000b99fcedfa0411caa0958a3ce.exe
Analysis ID:	1546604
MD5:	1ddbc000b99fcedfa0411caa0958a3ce
SHA1:	454c0a25d42ae1c8e2616f757f6652850599aa83
SHA256:	d8d44d10581a16f9dcd963b111ab9329da6c625b6692e1bfe4f653b9ba1a7b77
Tags:	exeuser-abuse_ch
Infos:

Detection

PureCrypter

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large array initializations

AI detected suspicious sample

Detected PureCrypter Trojan

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Tries to harvest and steal Bitcoin Wallet information

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
PureCrypter	According to zscaler, PureCrypter is a fully-featured loader being sold since at least March 2021The malware has been observed distributing a variety of remote access trojans and information stealersThe loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus software productsPureCrypter features provide persistence, injection and defense mechanisms that are configurable in Googles Protocol Buffer message format	No Attribution	https://any.run/cybersecurity-blog/pure-malware-family-analysis/ https://blog.netlab.360.com/purecrypter-is-busy-pumping-out-various-malicious-malware-families/ https://blog.sekoia.io/mallox-ransomware-affiliate-leverages-purecrypter-in-microsoft-sql-exploitation-campaigns/ https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf https://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter	https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Qzo7rljbyQ.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: Qzo7rljbyQ.exe

ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Qzo7rljbyQ.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: Qzo7rljbyQ.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Qzo7rljbyQ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 167.88.160.63:56001 -> 192.168.2.4:49730

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 167.88.160.63:56001

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: PONYNETUS PONYNETUS

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.4:49738
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.4:49732

Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63

Source: Qzo7rljbyQ.exe, 00000000.00000002.4100466211.0000000001516000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100466211.0000000001539000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.0000000003025000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.0000000003025000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/testdemo345/DemoThing/raw/main/WebDriver.dll
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.0000000003025000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/testdemo345/DemoThing/raw/main/chromedriver.exe
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.0000000003025000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/testdemo345/DemoThing/raw/main/msedgedriver.exe
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.0000000003025000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.0000000003025000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.0000000003025000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354rCannot

System Summary

.NET source code contains very large array initializations

Source: 0.2.Qzo7rljbyQ.exe.5580000.3.raw.unpack, WrapperAttrSpec.cs

Large array initialization: LogoutDic: array initializer size 297408

Detected potential crypto function

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_016914F8	0_2_016914F8
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_01690868	0_2_01690868
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_016963ED	0_2_016963ED
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_016963F0	0_2_016963F0
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_016936A8	0_2_016936A8
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_01693699	0_2_01693699
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_050176AB	0_2_050176AB
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_050153C0	0_2_050153C0
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_05014D02	0_2_05014D02
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_0501777D	0_2_0501777D
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_050176B4	0_2_050176B4
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_05017147	0_2_05017147
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_05017150	0_2_05017150
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_05010040	0_2_05010040
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_050153BF	0_2_050153BF
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_05017236	0_2_05017236
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_08BE6B40	0_2_08BE6B40
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_08BEC1F0	0_2_08BEC1F0
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_08BEE128	0_2_08BEE128
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_08BEE100	0_2_08BEE100
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_08BEC220	0_2_08BEC220
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_08BE6B30	0_2_08BE6B30
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_08BE5648	0_2_08BE5648
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_08BEA770	0_2_08BEA770
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_08BEA760	0_2_08BEA760
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_08BF4440	0_2_08BF4440
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_08BFE770	0_2_08BFE770
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_08BF0040	0_2_08BF0040

Sample file is different than original file name gathered from version info

Source: Qzo7rljbyQ.exe, 00000000.00000002.4110055106.0000000007BD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameUqgxreerde.dll" vs Qzo7rljbyQ.exe
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100466211.000000000144E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Qzo7rljbyQ.exe
Source: Qzo7rljbyQ.exe, 00000000.00000000.1651891424.0000000000D58000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameVsdsr.exe" vs Qzo7rljbyQ.exe
Source: Qzo7rljbyQ.exe, 00000000.00000002.4105569924.0000000004C5F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUqgxreerde.dll" vs Qzo7rljbyQ.exe
Source: Qzo7rljbyQ.exe, 00000000.00000002.4105569924.00000000049BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUqgxreerde.dll" vs Qzo7rljbyQ.exe
Source: Qzo7rljbyQ.exe	Binary or memory string: OriginalFilenameVsdsr.exe" vs Qzo7rljbyQ.exe

Uses 32bit PE files

Source: Qzo7rljbyQ.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Qzo7rljbyQ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Qzo7rljbyQ.exe.5580000.3.raw.unpack, SchemaService.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Qzo7rljbyQ.exe.5580000.3.raw.unpack, SchemaService.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Qzo7rljbyQ.exe.5580000.3.raw.unpack, WrapperAttrSpec.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.spyw.evad.winEXE@1/2@0/1

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Mutant created: \Sessions\1\BaseNamedObjects\a3d0748ac2

Source: Qzo7rljbyQ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Qzo7rljbyQ.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Qzo7rljbyQ.exe

ReversingLabs: Detection: 68%

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: cabinet.dll	Jump to behavior

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Qzo7rljbyQ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Qzo7rljbyQ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.Qzo7rljbyQ.exe.5580000.3.raw.unpack, SchemaService.cs

.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_0501296B push eax; retf 0070h	0_2_050129A2
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_050129A7 push eax; retf 0070h	0_2_050129B2
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_050129B7 push eax; retf 0070h	0_2_050129A2
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_050129B7 push eax; retf 0070h	0_2_050129C2
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_05012800 push eax; retf	0_2_05012801
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_05012868 pushfd ; retf	0_2_05012869
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_08BF713F push cs; ret	0_2_08BF714F
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_08BF0B92 push FFFFFFFFh; ret	0_2_08BF0B50
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_08BF0B30 push FFFFFFFFh; ret	0_2_08BF0AD1

Source: Qzo7rljbyQ.exe

Static PE information: section name: .text entropy: 7.988778517932884

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Memory allocated: 1670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Memory allocated: 3000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Memory allocated: 5000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Memory allocated: 5750000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Memory allocated: 6750000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Memory allocated: 6880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Memory allocated: 7880000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Window / User API: threadDelayed 2985			Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Window / User API: threadDelayed 6830			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 2996	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 4544	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 4544	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 4544	Thread sleep time: -32000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 2520	Thread sleep count: 2985 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 4544	Thread sleep time: -31875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 2520	Thread sleep count: 6830 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 4544	Thread sleep time: -31765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 4544	Thread sleep time: -31655s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 4544	Thread sleep time: -31547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 4544	Thread sleep time: -31408s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 4544	Thread sleep time: -31281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 4544	Thread sleep time: -31169s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 4544	Thread sleep time: -31049s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 4544	Thread sleep time: -30923s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 4544	Thread sleep time: -30797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 4544	Thread sleep time: -30687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 4544	Thread sleep time: -30578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 4544	Thread sleep time: -30469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 4544	Thread sleep time: -30359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 4544	Thread sleep time: -30250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 4544	Thread sleep time: -30140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 4544	Thread sleep time: -30031s >= -30000s	Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Thread delayed: delay time: 32000	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Thread delayed: delay time: 31875	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Thread delayed: delay time: 31765	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Thread delayed: delay time: 31655	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Thread delayed: delay time: 31547	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Thread delayed: delay time: 31408	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Thread delayed: delay time: 31281	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Thread delayed: delay time: 31169	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Thread delayed: delay time: 31049	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Thread delayed: delay time: 30923	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Thread delayed: delay time: 30797	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Thread delayed: delay time: 30687	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Thread delayed: delay time: 30578	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Thread delayed: delay time: 30469	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Thread delayed: delay time: 30359	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Thread delayed: delay time: 30250	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Thread delayed: delay time: 30140	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Thread delayed: delay time: 30031	Jump to behavior

Source: Qzo7rljbyQ.exe, 00000000.00000002.4113818435.0000000007FD5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100466211.00000000014B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100466211.00000000014B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_PhysicalMemoryPhysical Memory 0Win32_PhysicalMemoryPhysical MemoryPhysical MemoryPhysical MemoryRAM slot #0RAM slot #0VMware Virtual RAM00000001VMW-4096MB
Source: Qzo7rljbyQ.exe, 00000000.00000002.4113541888.0000000007F08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWpV

Enables debug privileges

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Detected PureCrypter Trojan

Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.0000000003025000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: 167.88.160.63MIIE5jCCAs6gAwIBAgIQAJbsLUO7QQjj7DZYnmF3lzANBgkqhkiG9w0BAQ0FADAUMRIwEAYDVQQDDAlJeHl5Z2JnaHowIBcNMjQxMDI1MDE1MDQyWhgPOTk5OTEyMzEyMzU5NTlaMBQxEjAQBgNVBAMMCUl4eXlnYmdoejCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMoa2AORNn3SmAvggH42G5WUUqkE4mdwvPUgX+l4CtJpQTNU96ZuAt6+zEiwfuqsvkZeL3lGby/pDzDPI8dUrb2zBqGSDQ0W9jmKj6Qxgv1OmQeXrwdvcyQE4cv25QzhTyFbKD/72Kq5eMApEN8KXrf2UcCSXmIu0pIbURxKnKydSGFHmyW0jh96SL9aPKOhv5O40Kso89+O4Yfw7luyfZneQXIaZ5aXXZOi00y/2IQF5KqxdZqdv/eio1pxOByr+09cblCizTgzVMNcyQ4EI1xw0K8tVVJD1+9OSLwsVJ+1Bj7uUeSTPuVwz2ZQg44+g+GCFZSAcmvjQEivk8pPgiVGqsaoPp38SXi8d4XlMunvQc0aV+5gRhUqbTkCuWx7AyWlLkg/ilQAFxwhxwv7pQHEzfsA96qqSfGk9mYoCDhujtNn/GfUYwC+p1Ktzaxvf21Gh0tFj+LC+HwIl0m3SJmqj9u28eHCspE8LEM/PE6DfVebV3A/CJS7CiAU2bu9ukJxsKmZMTjlvMzsF2zQeKxE1oaosOXcj8UNxtGq1Gs433/Zu9oB1Qz0JfXPsFwQt7n7R1B2nJ+cKtPQ3panXMtN7648K2xD/VaP/P1C8vtsGDjbBzDUN0wv2Nvusm101iFSrC87sHLGs5hjCYQFxhZ0ve6tjPUn6Wn7xc3MWlj3AgMBAAGjMjAwMB0GA1UdDgQWBBQxJEvnmrwiFd/N/8xG8iZKxk2AdTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQB/ia8oX44kqlC5FAqubZkiiX7WDtVjD5xSJ34doP08wQp401iE0WUAtn+c+BrZFUvHK8mlpAuvJxOiNN3ThQ3sMebd6wY1iLi/3MkUx/IZzdVj3Q77ehJOZ8NJ2GmLGTUPt8EuvG7rLftoTl8G63BAaAS2z54dW05SZOj+NppUgLA4S8bOWTPWewhmwhleBrtdx+dGnAjoiuKvuq1+ENjUCez90zVC9h5DnoaQab8NKIi7Y7dPX4ZEotYi4Pd1cORbuRYzmP6XC/skKZ4XWiKs8A+EoO3e51BgbVingmbvlTIWUNw9zvezuCaGyj/luebj+eysp4xI/JbdRmMBd+mSe2C/oR/xILqB20c2OTzaWjM+60zvErGAVgTe/JAYzw0yjxAqhyIztQUvRq9MC8hXM4rjUZ/ok5x/8K0GmiVCD78UxYzwqkV7dG6dLJwJdUP3Ltu36TbEaWQY2Tf/iSD4DOzs9Qk/7rAl4OfQfjH1/ONh/mYoQavfWWXGoHl3Sg3ROWFl67jllRcSo+LwScpWWlYbgfmIdgWeQiDsvP/pVit+BKrd7/II7ll11ilK37zHQxSwjjI0qZfi4SX9j0qzXbLe11X6RpZTepvz5GyZcpAuXW8NvPKP6o6XZsSh1ZhfaKD47J3F+wefFJHuLUXO1Z5rwrV+jihAIGnSUvIVug=="Default

Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.0000000003606000.00000004.00000800.00020000.00000000.sdmp, Qzo7rljbyQ.exe, 00000000.00000002.4100940187.000000000353F000.00000004.00000800.00020000.00000000.sdmp, Qzo7rljbyQ.exe, 00000000.00000002.4100940187.0000000003270000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.0000000003566000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTeqqPeV
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.0000000003606000.00000004.00000800.00020000.00000000.sdmp, Qzo7rljbyQ.exe, 00000000.00000002.4100940187.000000000353F000.00000004.00000800.00020000.00000000.sdmp, Qzo7rljbyQ.exe, 00000000.00000002.4100940187.0000000003270000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTeqq
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.0000000003384000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerh{qq<
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.000000000353F000.00000004.00000800.00020000.00000000.sdmp, Qzo7rljbyQ.exe, 00000000.00000002.4100940187.0000000003248000.00000004.00000800.00020000.00000000.sdmp, Qzo7rljbyQ.exe, 00000000.00000002.4100940187.00000000034A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTeqqh
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.0000000003454000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTeqq8iE
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.00000000033B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTeqq@';
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.0000000003606000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTeqqPe`
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.00000000034F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTeqq+O
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.000000000358E000.00000004.00000800.00020000.00000000.sdmp, Qzo7rljbyQ.exe, 00000000.00000002.4100940187.000000000362E000.00000004.00000800.00020000.00000000.sdmp, Qzo7rljbyQ.exe, 00000000.00000002.4100940187.00000000035DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTeqq\|
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.000000000321E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTeqq<
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.000000000321A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagertLr
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.0000000003518000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTeqqx
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.00000000034F0000.00000004.00000800.00020000.00000000.sdmp, Qzo7rljbyQ.exe, 00000000.00000002.4100940187.000000000329A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTeqqX
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.0000000003270000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTeqq,.'
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.00000000035B6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTeqqPe[
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.0000000003400000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTeqq0(@

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Queries volume information: C:\Users\user\Desktop\Qzo7rljbyQ.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Qzo7rljbyQ.exe, 00000000.00000002.4113818435.0000000007FD5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r\MsMpeng.exe
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100466211.0000000001516000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Qzo7rljbyQ.exe, 00000000.00000002.4113541888.0000000007F08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum\wallets
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.000000000329D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: com.liberty.jaxx@\qq
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.000000000329D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $qq3C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.000000000329D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $qq0C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.000000000329D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus@\qq
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.000000000329D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum@\qq
Source: Qzo7rljbyQ.exe, 00000000.00000002.4110055106.0000000007BD0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe

Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt

Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000000.00000002.4100940187.000000000329D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4100940187.0000000003025000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Qzo7rljbyQ.exe PID: 6600, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
167.88.160.63	unknown	United States		53667	PONYNETUS	true

Contacted Domains

Name	IP	Active
bg.microsoft.map.fastly.net	199.232.210.172	true

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Qzo7rljbyQ.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: Qzo7rljbyQ.exe

ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Qzo7rljbyQ.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: Qzo7rljbyQ.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Qzo7rljbyQ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 167.88.160.63:56001 -> 192.168.2.4:49730

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 167.88.160.63:56001

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: PONYNETUS PONYNETUS

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.4:49738
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.4:49732

Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.88.160.63

Source: Qzo7rljbyQ.exe, 00000000.00000002.4100466211.0000000001516000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100466211.0000000001539000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.0000000003025000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.0000000003025000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/testdemo345/DemoThing/raw/main/WebDriver.dll
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.0000000003025000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/testdemo345/DemoThing/raw/main/chromedriver.exe
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.0000000003025000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/testdemo345/DemoThing/raw/main/msedgedriver.exe
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.0000000003025000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.0000000003025000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.0000000003025000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354rCannot

System Summary

.NET source code contains very large array initializations

Source: 0.2.Qzo7rljbyQ.exe.5580000.3.raw.unpack, WrapperAttrSpec.cs

Large array initialization: LogoutDic: array initializer size 297408

Detected potential crypto function

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_016914F8	0_2_016914F8
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_01690868	0_2_01690868
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_016963ED	0_2_016963ED
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_016963F0	0_2_016963F0
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_016936A8	0_2_016936A8
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_01693699	0_2_01693699
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_050176AB	0_2_050176AB
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_050153C0	0_2_050153C0
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_05014D02	0_2_05014D02
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_0501777D	0_2_0501777D
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_050176B4	0_2_050176B4
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_05017147	0_2_05017147
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_05017150	0_2_05017150
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_05010040	0_2_05010040
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_050153BF	0_2_050153BF
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_05017236	0_2_05017236
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_08BE6B40	0_2_08BE6B40
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_08BEC1F0	0_2_08BEC1F0
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_08BEE128	0_2_08BEE128
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_08BEE100	0_2_08BEE100
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_08BEC220	0_2_08BEC220
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_08BE6B30	0_2_08BE6B30
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_08BE5648	0_2_08BE5648
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_08BEA770	0_2_08BEA770
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_08BEA760	0_2_08BEA760
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_08BF4440	0_2_08BF4440
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_08BFE770	0_2_08BFE770
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_08BF0040	0_2_08BF0040

Sample file is different than original file name gathered from version info

Source: Qzo7rljbyQ.exe, 00000000.00000002.4110055106.0000000007BD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameUqgxreerde.dll" vs Qzo7rljbyQ.exe
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100466211.000000000144E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Qzo7rljbyQ.exe
Source: Qzo7rljbyQ.exe, 00000000.00000000.1651891424.0000000000D58000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameVsdsr.exe" vs Qzo7rljbyQ.exe
Source: Qzo7rljbyQ.exe, 00000000.00000002.4105569924.0000000004C5F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUqgxreerde.dll" vs Qzo7rljbyQ.exe
Source: Qzo7rljbyQ.exe, 00000000.00000002.4105569924.00000000049BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUqgxreerde.dll" vs Qzo7rljbyQ.exe
Source: Qzo7rljbyQ.exe	Binary or memory string: OriginalFilenameVsdsr.exe" vs Qzo7rljbyQ.exe

Uses 32bit PE files

Source: Qzo7rljbyQ.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Qzo7rljbyQ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Qzo7rljbyQ.exe.5580000.3.raw.unpack, SchemaService.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Qzo7rljbyQ.exe.5580000.3.raw.unpack, SchemaService.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Qzo7rljbyQ.exe.5580000.3.raw.unpack, WrapperAttrSpec.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.spyw.evad.winEXE@1/2@0/1

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Mutant created: \Sessions\1\BaseNamedObjects\a3d0748ac2

Source: Qzo7rljbyQ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Qzo7rljbyQ.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Qzo7rljbyQ.exe

ReversingLabs: Detection: 68%

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Section loaded: cabinet.dll	Jump to behavior

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Qzo7rljbyQ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Qzo7rljbyQ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.Qzo7rljbyQ.exe.5580000.3.raw.unpack, SchemaService.cs

.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_0501296B push eax; retf 0070h	0_2_050129A2
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_050129A7 push eax; retf 0070h	0_2_050129B2
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_050129B7 push eax; retf 0070h	0_2_050129A2
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_050129B7 push eax; retf 0070h	0_2_050129C2
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_05012800 push eax; retf	0_2_05012801
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_05012868 pushfd ; retf	0_2_05012869
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_08BF713F push cs; ret	0_2_08BF714F
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_08BF0B92 push FFFFFFFFh; ret	0_2_08BF0B50
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Code function: 0_2_08BF0B30 push FFFFFFFFh; ret	0_2_08BF0AD1

Source: Qzo7rljbyQ.exe

Static PE information: section name: .text entropy: 7.988778517932884

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Memory allocated: 1670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Memory allocated: 3000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Memory allocated: 5000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Memory allocated: 5750000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Memory allocated: 6750000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Memory allocated: 6880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Memory allocated: 7880000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Window / User API: threadDelayed 2985			Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Window / User API: threadDelayed 6830			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 2996	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 4544	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 4544	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 4544	Thread sleep time: -32000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 2520	Thread sleep count: 2985 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 4544	Thread sleep time: -31875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 2520	Thread sleep count: 6830 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 4544	Thread sleep time: -31765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 4544	Thread sleep time: -31655s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 4544	Thread sleep time: -31547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 4544	Thread sleep time: -31408s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 4544	Thread sleep time: -31281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 4544	Thread sleep time: -31169s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 4544	Thread sleep time: -31049s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 4544	Thread sleep time: -30923s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 4544	Thread sleep time: -30797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 4544	Thread sleep time: -30687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 4544	Thread sleep time: -30578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 4544	Thread sleep time: -30469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 4544	Thread sleep time: -30359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 4544	Thread sleep time: -30250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 4544	Thread sleep time: -30140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe TID: 4544	Thread sleep time: -30031s >= -30000s	Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Thread delayed: delay time: 32000	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Thread delayed: delay time: 31875	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Thread delayed: delay time: 31765	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Thread delayed: delay time: 31655	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Thread delayed: delay time: 31547	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Thread delayed: delay time: 31408	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Thread delayed: delay time: 31281	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Thread delayed: delay time: 31169	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Thread delayed: delay time: 31049	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Thread delayed: delay time: 30923	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Thread delayed: delay time: 30797	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Thread delayed: delay time: 30687	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Thread delayed: delay time: 30578	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Thread delayed: delay time: 30469	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Thread delayed: delay time: 30359	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Thread delayed: delay time: 30250	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Thread delayed: delay time: 30140	Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Thread delayed: delay time: 30031	Jump to behavior

Source: Qzo7rljbyQ.exe, 00000000.00000002.4113818435.0000000007FD5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100466211.00000000014B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100466211.00000000014B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_PhysicalMemoryPhysical Memory 0Win32_PhysicalMemoryPhysical MemoryPhysical MemoryPhysical MemoryRAM slot #0RAM slot #0VMware Virtual RAM00000001VMW-4096MB
Source: Qzo7rljbyQ.exe, 00000000.00000002.4113541888.0000000007F08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWpV

Enables debug privileges

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Detected PureCrypter Trojan

Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.0000000003025000.00000004.00000800.00020000.00000000.sdmp

Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.0000000003606000.00000004.00000800.00020000.00000000.sdmp, Qzo7rljbyQ.exe, 00000000.00000002.4100940187.000000000353F000.00000004.00000800.00020000.00000000.sdmp, Qzo7rljbyQ.exe, 00000000.00000002.4100940187.0000000003270000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.0000000003566000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTeqqPeV
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.0000000003606000.00000004.00000800.00020000.00000000.sdmp, Qzo7rljbyQ.exe, 00000000.00000002.4100940187.000000000353F000.00000004.00000800.00020000.00000000.sdmp, Qzo7rljbyQ.exe, 00000000.00000002.4100940187.0000000003270000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTeqq
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.0000000003384000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerh{qq<
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.000000000353F000.00000004.00000800.00020000.00000000.sdmp, Qzo7rljbyQ.exe, 00000000.00000002.4100940187.0000000003248000.00000004.00000800.00020000.00000000.sdmp, Qzo7rljbyQ.exe, 00000000.00000002.4100940187.00000000034A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTeqqh
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.0000000003454000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTeqq8iE
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.00000000033B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTeqq@';
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.0000000003606000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTeqqPe`
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.00000000034F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTeqq+O
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.000000000358E000.00000004.00000800.00020000.00000000.sdmp, Qzo7rljbyQ.exe, 00000000.00000002.4100940187.000000000362E000.00000004.00000800.00020000.00000000.sdmp, Qzo7rljbyQ.exe, 00000000.00000002.4100940187.00000000035DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTeqq\|
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.000000000321E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTeqq<
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.000000000321A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagertLr
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.0000000003518000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTeqqx
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.00000000034F0000.00000004.00000800.00020000.00000000.sdmp, Qzo7rljbyQ.exe, 00000000.00000002.4100940187.000000000329A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTeqqX
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.0000000003270000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTeqq,.'
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.00000000035B6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTeqqPe[
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.0000000003400000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTeqq0(@

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Queries volume information: C:\Users\user\Desktop\Qzo7rljbyQ.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Qzo7rljbyQ.exe, 00000000.00000002.4113818435.0000000007FD5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r\MsMpeng.exe
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100466211.0000000001516000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Qzo7rljbyQ.exe, 00000000.00000002.4113541888.0000000007F08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum\wallets
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.000000000329D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: com.liberty.jaxx@\qq
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.000000000329D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $qq3C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.000000000329D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $qq0C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.000000000329D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus@\qq
Source: Qzo7rljbyQ.exe, 00000000.00000002.4100940187.000000000329D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum@\qq
Source: Qzo7rljbyQ.exe, 00000000.00000002.4110055106.0000000007BD0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\Qzo7rljbyQ.exe

Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt

Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000000.00000002.4100940187.000000000329D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4100940187.0000000003025000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Qzo7rljbyQ.exe PID: 6600, type: MEMORYSTR

ID:	1546604
Product:	CloudBasic
Start time:	08:32:06
Start date:	01.11.2024
Sample:	Qzo7rljbyQ.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	1ddbc000b99fcedfa0411caa0958a3ce
SHA1:	454c0a25d42ae1c8e2616f757f6652850599aa83
SHA256:	d8d44d10581a16f9dcd963b111ab9329da6c625b6692e1bfe4f653b9ba1a7b77
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression	49AEBF8CBD62D92AC215B2923FB1B9F5	1723BE06719828DDA65AD804298D0431F6AFF976	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	B0A3D6D4FD7EDF4DC6E09C0CDF1CFB53	908B3F530ED0E2528B3FBC539A9EF7A835F15C83	EA8D48F54EB06469333C3EF7AAD52A404339E25517A66A9891B07600010130D6

Windows Analysis Report
Qzo7rljbyQ.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report Qzo7rljbyQ.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
Qzo7rljbyQ.exe

Malware Threat Intel
Provided by