Analysis Report #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.bat

Overview

General Information

Sample Name: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.bat (renamed file extension from bat to exe)
Analysis ID: 343504
MD5: 6665909a2652c5860fd874cb15c3991c
SHA1: 84a5a2e920e8165634e510766eaa51662401a227
SHA256: 1ef7ae3509e71c3cd0904a7396831e6bd2c021f14dc5d4b2485a38ebefc3dd3d

Most interesting Screenshot:

Detection

Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Multi AV Scanner detection for submitted file
Connects to many ports of the same IP (likely port scanning)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses known network protocols on non-standard ports
Abnormal high CPU Usage
Checks for available system drives (often done to infect USB drives)
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Enables security privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Virustotal: Detection: 15% Perma Link
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe ReversingLabs: Detection: 22%

Privilege Escalation:

barindex
Contains functionality to bypass UAC (CMSTPLUA)
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000180002D40 CoGetObject,CoGetObject,Sleep,SleepEx, 0_2_0000000180002D40

Compliance:

barindex
Binary contains paths to debug symbols
Source: Binary string: C:\sourcetree\CortexCommon\Razer.ProcessManager\PMManager\x64\Release\PMRunner.pdb source: PMRunner64.exe, 0000000C.00000000.685253001.00007FF7A5177000.00000002.00020000.sdmp, PMRunner64.exe, 0000000E.00000000.707315840.00007FF7A5177000.00000002.00020000.sdmp, PMRunner64.exe, 0000000F.00000000.724614077.00007FF7A5177000.00000002.00020000.sdmp, PMRunner64.exe.0.dr

Spreading:

barindex
Checks for available system drives (often done to infect USB drives)
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe File opened: z: Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe File opened: x: Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe File opened: v: Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe File opened: t: Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe File opened: r: Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe File opened: p: Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe File opened: n: Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe File opened: l: Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe File opened: j: Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe File opened: h: Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe File opened: f: Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe File opened: b: Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe File opened: y: Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe File opened: w: Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe File opened: u: Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe File opened: s: Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe File opened: q: Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe File opened: o: Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe File opened: m: Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe File opened: k: Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe File opened: i: Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe File opened: g: Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe File opened: e: Jump to behavior
Source: C:\Windows\System32\conhost.exe File opened: c: Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe File opened: [: Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_00000001400223C0 GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW, 0_2_00000001400223C0
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: 1_2_00405BD6 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW, 1_2_00405BD6
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: 1_2_0040755D FindFirstFileW, 1_2_0040755D
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: 1_2_00406532 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW, 1_2_00406532
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe File opened: C:\Users\user\zT6Nm@i4\ Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe File opened: C:\Users\user\zT6Nm@i4\TXP\ Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe File opened: C:\Users\user\zT6Nm@i4\TXP\Windows\Start Menu\Programs\ Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe File opened: C:\Users\user\zT6Nm@i4\TXP\Windows\Start Menu\Programs\Startup\Realtek???????? .lnk Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe File opened: C:\Users\user\zT6Nm@i4\TXP\Windows\Start Menu\ Jump to behavior

Networking:

barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 110.92.66.246 ports 1,2,13527,3,5,7
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 13527
Source: unknown Network traffic detected: HTTP traffic on port 13527 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 13527
Source: unknown Network traffic detected: HTTP traffic on port 13527 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 13527
Source: unknown Network traffic detected: HTTP traffic on port 13527 -> 49746
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49744 -> 110.92.66.246:13527
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /\ HTTP/1.1Connection: UpgradeSec-WebSocket-Key: FCzEFfJJGECxZCsRaGKFlJqHWSec-WebSocket-Version: 13Upgrade: websocketSec-WebSocket-Extensions: permessage-deflate; client_max_window_bitsHost: 110.92.66.246:13527
Source: global traffic HTTP traffic detected: GET /\ HTTP/1.1Connection: UpgradeSec-WebSocket-Key: hVvGEJDDITDIJDJeQLtIKCsnCSec-WebSocket-Version: 13Upgrade: websocketSec-WebSocket-Extensions: permessage-deflate; client_max_window_bitsHost: 110.92.66.246:13527
Source: global traffic HTTP traffic detected: GET /\ HTTP/1.1Connection: UpgradeSec-WebSocket-Key: IKBXBepAaaBfkIYjnCKuMRKkFSec-WebSocket-Version: 13Upgrade: websocketSec-WebSocket-Extensions: permessage-deflate; client_max_window_bitsHost: 110.92.66.246:13527
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 204.79.197.200 204.79.197.200
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HKKFGL-AS-APHKKwaifongGroupLimitedHK HKKFGL-AS-APHKKwaifongGroupLimitedHK
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 104.79.89.181
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140002220 recv,SendMessageW,_cwprintf_s_l,inet_ntoa,_cwprintf_s_l,inet_ntoa,_cwprintf_s_l,_cwprintf_s_l,_cwprintf_s_l,htons,_cwprintf_s_l, 0_2_0000000140002220
Source: global traffic HTTP traffic detected: GET /\ HTTP/1.1Connection: UpgradeSec-WebSocket-Key: FCzEFfJJGECxZCsRaGKFlJqHWSec-WebSocket-Version: 13Upgrade: websocketSec-WebSocket-Extensions: permessage-deflate; client_max_window_bitsHost: 110.92.66.246:13527
Source: global traffic HTTP traffic detected: GET /\ HTTP/1.1Connection: UpgradeSec-WebSocket-Key: hVvGEJDDITDIJDJeQLtIKCsnCSec-WebSocket-Version: 13Upgrade: websocketSec-WebSocket-Extensions: permessage-deflate; client_max_window_bitsHost: 110.92.66.246:13527
Source: global traffic HTTP traffic detected: GET /\ HTTP/1.1Connection: UpgradeSec-WebSocket-Key: IKBXBepAaaBfkIYjnCKuMRKkFSec-WebSocket-Version: 13Upgrade: websocketSec-WebSocket-Extensions: permessage-deflate; client_max_window_bitsHost: 110.92.66.246:13527
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr String found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr String found in binary or memory: http://crl.thawte.com/ThawtePremiumServerCA.crl0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr String found in binary or memory: http://ocsp.thawte.com0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr String found in binary or memory: http://s2.symcb.com0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr String found in binary or memory: http://sv.symcd.com0&
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr String found in binary or memory: http://th.symcb.com/th.crl0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr String found in binary or memory: http://th.symcb.com/th.crt0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr String found in binary or memory: http://th.symcd.com0&
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr String found in binary or memory: http://www.nsecsoft.com
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr String found in binary or memory: http://www.symauth.com/cps0(
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr String found in binary or memory: http://www.symauth.com/rpa00
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr String found in binary or memory: https://d.symcb.com/rpa0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr String found in binary or memory: https://www.thawte.com/cps0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr String found in binary or memory: https://www.thawte.com/cps0/
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr String found in binary or memory: https://www.thawte.com/repository0W
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49682
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49681
Source: unknown Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 49682 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49681 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49701

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_00000001400DC700 CreateCompatibleDC,CreateCompatibleBitmap,FillRect,OpenClipboard,EmptyClipboard,CloseClipboard,SetClipboardData,CloseClipboard, 0_2_00000001400DC700
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_00000001400900A0 IsWindow,GetFocus,IsChild,SendMessageW,IsChild,SendMessageW,GetFocus,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible, 0_2_00000001400900A0
Creates a DirectInput object (often for capturing keystrokes)
Source: zr.exe, 00000001.00000002.653437096.0000000000708000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_000000014007AAC4 MessageBeep,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW, 0_2_000000014007AAC4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140085328 GetParent,ScreenToClient,free,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow, 0_2_0000000140085328
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_000000014000F35C GetKeyState,GetKeyState,GetKeyState,SendMessageW, 0_2_000000014000F35C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_000000014008F93C GetKeyState,GetKeyState,GetKeyState, 0_2_000000014008F93C

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe Process Stats: CPU usage > 98%
Contains functionality to communicate with device drivers
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: 1_2_00406D20: __EH_prolog,GetFileInformationByHandle,DeviceIoControl,memcpy, 1_2_00406D20
Detected potential crypto function
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_000000014002007C 0_2_000000014002007C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140011818 0_2_0000000140011818
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140076074 0_2_0000000140076074
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_000000014010E08C 0_2_000000014010E08C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_00000001400BE1D0 0_2_00000001400BE1D0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_000000014005A1C4 0_2_000000014005A1C4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140162354 0_2_0000000140162354
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_000000014005C3D4 0_2_000000014005C3D4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_000000014007A4D8 0_2_000000014007A4D8
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_00000001400365D8 0_2_00000001400365D8
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140046614 0_2_0000000140046614
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_000000014003C644 0_2_000000014003C644
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_000000014005A694 0_2_000000014005A694
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_00000001400DE6A4 0_2_00000001400DE6A4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_000000014004472C 0_2_000000014004472C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_000000014000A760 0_2_000000014000A760
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_00000001400BE798 0_2_00000001400BE798
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_000000014006C8BC 0_2_000000014006C8BC
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_00000001400768F8 0_2_00000001400768F8
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140074934 0_2_0000000140074934
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_000000014002C960 0_2_000000014002C960
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140018AB8 0_2_0000000140018AB8
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140014AD0 0_2_0000000140014AD0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_000000014005EAE4 0_2_000000014005EAE4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140040B54 0_2_0000000140040B54
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140092B98 0_2_0000000140092B98
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140024BFC 0_2_0000000140024BFC
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140084BF4 0_2_0000000140084BF4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140090C1C 0_2_0000000140090C1C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_000000014005AD18 0_2_000000014005AD18
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140078D58 0_2_0000000140078D58
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140042E18 0_2_0000000140042E18
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140018EA0 0_2_0000000140018EA0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_00000001400F0FA4 0_2_00000001400F0FA4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140021100 0_2_0000000140021100
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_000000014003910C 0_2_000000014003910C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140029308 0_2_0000000140029308
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_000000014005F304 0_2_000000014005F304
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_00000001400BF304 0_2_00000001400BF304
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140097328 0_2_0000000140097328
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_00000001400DF350 0_2_00000001400DF350
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_000000014009140C 0_2_000000014009140C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_00000001400CB4B4 0_2_00000001400CB4B4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_000000014003754C 0_2_000000014003754C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_000000014007564C 0_2_000000014007564C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140081668 0_2_0000000140081668
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_000000014001D68C 0_2_000000014001D68C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_00000001401636B0 0_2_00000001401636B0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_00000001400476E4 0_2_00000001400476E4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_000000014002377C 0_2_000000014002377C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_00000001400577E8 0_2_00000001400577E8
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_00000001400F1800 0_2_00000001400F1800
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140051880 0_2_0000000140051880
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_00000001400798A4 0_2_00000001400798A4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_00000001400638BC 0_2_00000001400638BC
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_00000001401578AC 0_2_00000001401578AC
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_00000001400A38D0 0_2_00000001400A38D0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_00000001400918D4 0_2_00000001400918D4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_000000014007DA44 0_2_000000014007DA44
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140161B54 0_2_0000000140161B54
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140087CCC 0_2_0000000140087CCC
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140067CE4 0_2_0000000140067CE4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140159CFC 0_2_0000000140159CFC
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_00000001400BBD90 0_2_00000001400BBD90
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_00000001400DFD94 0_2_00000001400DFD94
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140041DE4 0_2_0000000140041DE4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_00000001400A1E3C 0_2_00000001400A1E3C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140043E5C 0_2_0000000140043E5C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_000000014005BE90 0_2_000000014005BE90
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140079EC0 0_2_0000000140079EC0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140161ED4 0_2_0000000140161ED4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_00000001400B9ED4 0_2_00000001400B9ED4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_00000001400BDED8 0_2_00000001400BDED8
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_000000014006FF0C 0_2_000000014006FF0C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140047F40 0_2_0000000140047F40
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_000000014000DF9C 0_2_000000014000DF9C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_000000014006BFC4 0_2_000000014006BFC4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_000000018000C380 0_2_000000018000C380
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_00000001800088E0 0_2_00000001800088E0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_00000001800090C0 0_2_00000001800090C0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_000000018000E274 0_2_000000018000E274
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_00000001800104F0 0_2_00000001800104F0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000180016900 0_2_0000000180016900
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000180006AE0 0_2_0000000180006AE0
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: 1_2_004292EC 1_2_004292EC
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: 1_2_004419AF 1_2_004419AF
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: 1_2_0044C0C8 1_2_0044C0C8
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: 1_2_0044C0A0 1_2_0044C0A0
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: 1_2_0044017B 1_2_0044017B
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: 1_2_0045A190 1_2_0045A190
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: 1_2_0041C3CB 1_2_0041C3CB
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: 1_2_0041A459 1_2_0041A459
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: 1_2_00456650 1_2_00456650
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: 1_2_0043674E 1_2_0043674E
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: 1_2_0044C8A0 1_2_0044C8A0
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: 1_2_004509E8 1_2_004509E8
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: 1_2_0044C9B0 1_2_0044C9B0
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: 1_2_0044AC50 1_2_0044AC50
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: 1_2_00454F00 1_2_00454F00
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: 1_2_00452FB0 1_2_00452FB0
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: 1_2_00451150 1_2_00451150
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: 1_2_0045B423 1_2_0045B423
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: 1_2_004575D0 1_2_004575D0
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: 1_2_0045B5B1 1_2_0045B5B1
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: 1_2_004015BE 1_2_004015BE
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: 1_2_0045B68B 1_2_0045B68B
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: 1_2_0045B771 1_2_0045B771
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: 1_2_004159D7 1_2_004159D7
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: 1_2_00401999 1_2_00401999
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: 1_2_00459AE0 1_2_00459AE0
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: 1_2_00451B10 1_2_00451B10
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: 1_2_00459CA0 1_2_00459CA0
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: 1_2_0040DDF1 1_2_0040DDF1
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: 1_2_0044BF30 1_2_0044BF30
Enables security privileges
Source: C:\Users\user\zT6Nm@i4\zr.exe Process token adjusted: Security Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: String function: 00401CC2 appears 153 times
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: String function: 0045AD30 appears 480 times
PE file contains strange resources
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: K_FPS64.dll.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: K_FPS64.dll.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: K_FPS64.dll.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PMRunner64.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp Binary or memory string: OriginalFilename7zr.exe, vs #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000002.686343189.0000000002530000.00000002.00000001.sdmp Binary or memory string: originalfilename vs #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000002.686343189.0000000002530000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000002.686174201.0000000002430000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000002.686004489.00000000020D0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000002.686469830.00000000026C0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameWindows.Storage.dll.MUIj% vs #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000002.686358301.0000000002550000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
Tries to load missing DLLs
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe Section loaded: devenum.dll Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe Section loaded: msdmo.dll Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe Section loaded: dhcpcsvc.dll Jump to behavior
Yara signature match
Source: C:\Users\user\zT6Nm@i4\ru2.url, type: DROPPED Matched rule: Methodology_Suspicious_Shortcut_Local_URL author = @itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson), description = Detects local script usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: classification engine Classification label: mal72.troj.expl.evad.winEXE@13/17@0/5
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: 1_2_00414942 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 1_2_00414942
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: 1_2_00407CF5 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification, 1_2_00407CF5
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_000000014001E7FC CoInitialize,CoCreateInstance, 0_2_000000014001E7FC
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_00000001400081A8 FindResourceW,LoadResource,LockResource,FreeResource, 0_2_00000001400081A8
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe File created: C:\Users\user\zT6Nm@i4 Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe Mutant created: \Sessions\1\BaseNamedObjects\V 5i
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe Mutant created: \Sessions\1\BaseNamedObjects\Random name
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6700:120:WilError_01
Source: unknown Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'C:\Users\user\zT6Nm@i4\copy.bat'
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Virustotal: Detection: 15%
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe ReversingLabs: Detection: 22%
Source: unknown Process created: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe 'C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe'
Source: unknown Process created: C:\Users\user\zT6Nm@i4\zr.exe 'C:\Users\user\zT6Nm@i4\zr.exe' a 'C:\Users\user\zT6Nm@i4\111.7z' 'C:\Users\user\zT6Nm@i4\TXP\*'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'C:\Users\user\zT6Nm@i4\copy.bat'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\ProgramData\Microsoft\zr.exe 'C:\ProgramData\Microsoft\zr.exe' x C:\ProgramData\Microsoft\111.7z -y
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\zT6Nm@i4\PMRunner64.exe 'C:\Users\user\zT6Nm@i4\PMRunner64.exe'
Source: unknown Process created: C:\Users\user\zT6Nm@i4\PMRunner64.exe 'C:\Users\user\zT6Nm@i4\PMRunner64.exe'
Source: unknown Process created: C:\Users\user\zT6Nm@i4\PMRunner64.exe 'C:\Users\user\zT6Nm@i4\PMRunner64.exe'
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Process created: C:\Users\user\zT6Nm@i4\zr.exe 'C:\Users\user\zT6Nm@i4\zr.exe' a 'C:\Users\user\zT6Nm@i4\111.7z' 'C:\Users\user\zT6Nm@i4\TXP\*' Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'C:\Users\user\zT6Nm@i4\copy.bat' Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Process created: C:\Users\user\zT6Nm@i4\PMRunner64.exe 'C:\Users\user\zT6Nm@i4\PMRunner64.exe' Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Static file information: File size 3150336 > 1048576
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x179c00
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Static PE information: More than 200 imports for USER32.dll
Source: Binary string: C:\sourcetree\CortexCommon\Razer.ProcessManager\PMManager\x64\Release\PMRunner.pdb source: PMRunner64.exe, 0000000C.00000000.685253001.00007FF7A5177000.00000002.00020000.sdmp, PMRunner64.exe, 0000000E.00000000.707315840.00007FF7A5177000.00000002.00020000.sdmp, PMRunner64.exe, 0000000F.00000000.724614077.00007FF7A5177000.00000002.00020000.sdmp, PMRunner64.exe.0.dr

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140032378 GetModuleHandleW,LoadLibraryW,GetProcAddress, 0_2_0000000140032378
PE file contains sections with non-standard names
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Static PE information: section name: text
Source: zr.exe.0.dr Static PE information: section name: .sxdata
Source: zr.exe.3.dr Static PE information: section name: .sxdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: 1_2_0044C2D0 push ecx; mov dword ptr [esp], ecx 1_2_0044C2D1
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: 1_2_0045AD30 push eax; ret 1_2_0045AD4E
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: 1_2_0045B0E0 push eax; ret 1_2_0045B10E

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe File created: C:\Users\user\zT6Nm@i4\PMRunner64.exe Jump to dropped file
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe File created: C:\Users\user\zT6Nm@i4\zr.exe Jump to dropped file
Source: C:\Windows\System32\cmd.exe File created: C:\ProgramData\Microsoft\zr.exe Jump to dropped file
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe File created: C:\Users\user\zT6Nm@i4\K_FPS64.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Windows\System32\cmd.exe File created: C:\ProgramData\Microsoft\zr.exe Jump to dropped file

Boot Survival:

barindex
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\ProgramData\Microsoft\zr.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Realtek???????? .lnk Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe File created: C:\Users\user\zT6Nm@i4\TXP\Windows\Start Menu Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe File created: C:\Users\user\zT6Nm@i4\TXP\Windows\Start Menu\Programs Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe File created: C:\Users\user\zT6Nm@i4\TXP\Windows\Start Menu\Programs\Startup Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe File created: C:\Users\user\zT6Nm@i4\TXP\Windows\Start Menu\Programs\Startup\Realtek???????? .lnk Jump to behavior
Source: C:\ProgramData\Microsoft\zr.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Realtek???????? .lnk Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NULL Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NULL Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 13527
Source: unknown Network traffic detected: HTTP traffic on port 13527 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 13527
Source: unknown Network traffic detected: HTTP traffic on port 13527 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 13527
Source: unknown Network traffic detected: HTTP traffic on port 13527 -> 49746
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_00000001400025A0 IsIconic,SendMessageW,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 0_2_00000001400025A0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140038030 IsIconic, 0_2_0000000140038030
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_00000001400900A0 IsWindow,GetFocus,IsChild,SendMessageW,IsChild,SendMessageW,GetFocus,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible, 0_2_00000001400900A0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_00000001400926C4 IsIconic,PostMessageW, 0_2_00000001400926C4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_00000001400668D4 IsWindowVisible,IsIconic, 0_2_00000001400668D4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140090DC0 GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics, 0_2_0000000140090DC0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140090DC0 GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics, 0_2_0000000140090DC0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140090DC0 GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics, 0_2_0000000140090DC0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140091184 IsWindowVisible,ScreenToClient,GetSystemMetrics,GetSystemMetrics,IsIconic,GetSystemMetrics,PtInRect,PtInRect,GetSystemMetrics,PtInRect, 0_2_0000000140091184
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140045388 SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,GetParent,SendMessageW,UpdateWindow,GetParent,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow, 0_2_0000000140045388
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_00000001400918D4 IsWindowVisible,GetWindowRect,PtInRect,GetAsyncKeyState,ScreenToClient,PtInRect,SendMessageW,IsWindow,IsWindow,GetWindowRect,PtInRect,SendMessageW,ScreenToClient,PtInRect,GetParent,SendMessageW,SendMessageW,GetFocus,WindowFromPoint,GetSystemMenu,IsMenu,EnableMenuItem,EnableMenuItem,IsZoomed,IsIconic,EnableMenuItem,TrackPopupMenu,SendMessageW, 0_2_00000001400918D4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140037F50 SetForegroundWindow,IsIconic, 0_2_0000000140037F50
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_000000018000C380 RtlEncodePointer,_initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_000000018000C380
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: K_FPS64.dll.0.dr Binary or memory string: OLLYDBG.EXEPROCESSHACKER.EXETCPVIEW.EXEAUTORUNS.EXEAUTORUNSC.EXEFILEMON.EXEPROCMON.EXEREGMON.EXEPROCEXP.EXEIDAQ.EXEIDAQ64.EXEIMMUNITYDEBUGGER.EXEWIRESHARK.EXEDUMPCAP.EXEHOOKEXPLORER.EXEIMPORTREC.EXEPETOOLS.EXELORDPE.EXESYSINSPECTOR.EXEPROC_ANALYZER.EXESYSANALYZER.EXESNIFF_HIT.EXEWINDBG.EXEJOEBOXCONTROL.EXEJOEBOXSERVER.EXERESOURCEHACKER.EXEX32DBG.EXEX64DBG.EXEFIDDLER.EXEHTTPDEBUGGER.EXERANDOM NAMEI AM CRITICAL FUNCTION, YOU SHOULD PROTECT AGAINST INT3 BPS %DPRL_CC.EXEPRL_TOOLS.EXECHECKING PARALLELS PROCESSES: %SHARDWARE\DEVICEMAP\SCSI\SCSI PORT 0\SCSI BUS 0\TARGET ID 0\LOGICAL UNIT ID 0IDENTIFIERQEMUCHECKING REG KEY %S QEMU-GA.EXECHECKING QEMU PROCESSES %S VBOXHARDWARE\DESCRIPTION\SYSTEMSYSTEMBIOSDATE06/23/99HARDWARE\ACPI\DSDT\VBOX__HARDWARE\ACPI\FADT\VBOX__HARDWARE\ACPI\RSDT\VBOX__SYSTEM\CONTROLSET001\SERVICES\VBOXGUESTSYSTEM\CONTROLSET001\SERVICES\VBOXMOUSESYSTEM\CONTROLSET001\SERVICES\VBOXSERVICESYSTEM\CONTROLSET001\SERVICES\VBOXSFSYSTEM\CONTROLSET001\SERVICES\VBOXVIDEOVBOXSERVICE.EXEVBOXTRAY.EXEVMSRVC.EXEVMUSRVC.EXECHECKING VIRTUAL PC PROCESSES %S SOFTWARE\MICROSOFT\VIRTUAL MACHINE\GUEST\PARAMETERSVMWAREHARDWARE\DEVICEMAP\SCSI\SCSI PORT 1\SCSI BUS 0\TARGET ID 0\LOGICAL UNIT ID 0HARDWARE\DEVICEMAP\SCSI\SCSI PORT 2\SCSI BUS 0\TARGET ID 0\LOGICAL UNIT ID 0SYSTEM\CONTROLSET001\CONTROL\SYSTEMINFORMATIONSYSTEMMANUFACTURERSYSTEMPRODUCTNAMECHECKING REG KEY %S
Contains capabilities to detect virtual machines
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosDate Jump to behavior
Source: C:\Windows\System32\conhost.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe API coverage: 4.5 %
Source: C:\Users\user\zT6Nm@i4\zr.exe API coverage: 7.3 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe TID: 6568 Thread sleep count: 342 > 30 Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe TID: 6876 Thread sleep count: 60 > 30 Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe TID: 6884 Thread sleep count: 45 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_00000001400223C0 GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW, 0_2_00000001400223C0
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: 1_2_00405BD6 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW, 1_2_00405BD6
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: 1_2_0040755D FindFirstFileW, 1_2_0040755D
Source: C:\Users\user\zT6Nm@i4\zr.exe Code function: 1_2_00406532 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW, 1_2_00406532
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_000000014015892C VirtualQuery,GetSystemInfo,SetThreadStackGuarantee,VirtualAlloc,VirtualProtect, 0_2_000000014015892C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe File opened: C:\Users\user\zT6Nm@i4\ Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe File opened: C:\Users\user\zT6Nm@i4\TXP\ Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe File opened: C:\Users\user\zT6Nm@i4\TXP\Windows\Start Menu\Programs\ Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe File opened: C:\Users\user\zT6Nm@i4\TXP\Windows\Start Menu\Programs\Startup\Realtek???????? .lnk Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe File opened: C:\Users\user\zT6Nm@i4\TXP\Windows\Start Menu\ Jump to behavior
Source: K_FPS64.dll.0.dr Binary or memory string: ollydbg.exeProcessHacker.exetcpview.exeautoruns.exeautorunsc.exefilemon.exeprocmon.exeregmon.exeprocexp.exeidaq.exeidaq64.exeImmunityDebugger.exeWireshark.exedumpcap.exeHookExplorer.exeImportREC.exePETools.exeLordPE.exeSysInspector.exeproc_analyzer.exesysAnalyzer.exesniff_hit.exewindbg.exejoeboxcontrol.exejoeboxserver.exeResourceHacker.exex32dbg.exex64dbg.exeFiddler.exehttpdebugger.exeRandom nameI am critical function, you should protect against int3 bps %dprl_cc.exeprl_tools.exeChecking Parallels processes: %sHARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierQEMUChecking reg key %s qemu-ga.exeChecking qemu processes %s VBOXHARDWARE\Description\SystemSystemBiosDate06/23/99HARDWARE\ACPI\DSDT\VBOX__HARDWARE\ACPI\FADT\VBOX__HARDWARE\ACPI\RSDT\VBOX__SYSTEM\ControlSet001\Services\VBoxGuestSYSTEM\ControlSet001\Services\VBoxMouseSYSTEM\ControlSet001\Services\VBoxServiceSYSTEM\ControlSet001\Services\VBoxSFSYSTEM\ControlSet001\Services\VBoxVideovboxservice.exevboxtray.exeVMSrvc.exeVMUSrvc.exeChecking Virtual PC processes %s SOFTWARE\Microsoft\Virtual Machine\Guest\ParametersVMWAREHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0SYSTEM\ControlSet001\Control\SystemInformationSystemManufacturerSystemProductNameChecking reg key %s
Source: K_FPS64.dll.0.dr Binary or memory string: 00:1C:14PV00:50:56Checking MAC starting with %svmtoolsd.exevmwaretray.exevmwareuser.exeVGAuthService.exevmacthlp.exeChecking VWware process %s kernel32.dllntdll.dllRtlGetVersionRtlAddFunctionTablentdll
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000002.685826678.0000000000641000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_000000014015C7A0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_000000014015C7A0
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000180014870 RtlEncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer, 0_2_0000000180014870
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140032378 GetModuleHandleW,LoadLibraryW,GetProcAddress, 0_2_0000000140032378
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140002BFC VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualAlloc, 0_2_0000000140002BFC
Enables debug privileges
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_000000014015C7A0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_000000014015C7A0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140154B40 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0000000140154B40

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_00000001800090C0 SetFileAttributesW,Sleep,SleepEx,ShellExecuteExW,Sleep,SleepEx,DeleteFileW,ShellExecuteW,Sleep,SleepEx,DeleteFileW,DeleteFileW,DeleteFileW,Sleep,SleepEx,DeleteFileW,DeleteFileW,DeleteFileW,Sleep,SleepEx,ShellExecuteExW,DeleteFileW,DeleteFileW,DeleteFileW, 0_2_00000001800090C0
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Process created: C:\Users\user\zT6Nm@i4\zr.exe 'C:\Users\user\zT6Nm@i4\zr.exe' a 'C:\Users\user\zT6Nm@i4\111.7z' 'C:\Users\user\zT6Nm@i4\TXP\*' Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'C:\Users\user\zT6Nm@i4\copy.bat' Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Process created: C:\Users\user\zT6Nm@i4\PMRunner64.exe 'C:\Users\user\zT6Nm@i4\PMRunner64.exe' Jump to behavior

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: _cwprintf_s_l,GetNumberFormatW,GetLocaleInfoW,lstrlenW, 0_2_000000014006CC48
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: GetProcAddress,_errno,GetUserDefaultUILanguage,ConvertDefaultLocale,ConvertDefaultLocale,GetSystemDefaultUILanguage,ConvertDefaultLocale,ConvertDefaultLocale,GetModuleFileNameW,GetLocaleInfoW,_errno,_errno,_snwprintf_s,_errno,_errno,_errno,LoadLibraryW, 0_2_0000000140003520
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140154D44 GetSystemTimeAsFileTime, 0_2_0000000140154D44
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140161ED4 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 0_2_0000000140161ED4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_00000001400206A8 GetVersionExW,GetSystemMetrics,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00000001400206A8

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe Code function: 0_2_0000000140001D04 WSAStartup,WSASocketW,gethostname,gethostbyname,inet_ntoa,htons,bind,WSAIoctl, 0_2_0000000140001D04
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 343504 Sample: #U5e74#U7ec8#U63d0#U6210#U5... Startdate: 24/01/2021 Architecture: WINDOWS Score: 72 49 Multi AV Scanner detection for submitted file 2->49 51 Connects to many ports of the same IP (likely port scanning) 2->51 53 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->53 55 Uses known network protocols on non-standard ports 2->55 7 #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe 3 17 2->7         started        12 PMRunner64.exe 2->12         started        14 PMRunner64.exe 2->14         started        16 zr.exe 10 2->16         started        process3 dnsIp4 43 204.79.197.200, 443, 49696, 49698 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 7->43 45 40.126.31.135, 443, 49681, 49682 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 7->45 47 2 other IPs or domains 7->47 35 C:\Users\user\zT6Nm@i4\PMRunner64.exe, PE32+ 7->35 dropped 37 C:\Users\user\zT6Nm@i4\K_FPS64.dll, PE32+ 7->37 dropped 39 C:\Users\user\zT6Nm@i4\zr.exe, PE32 7->39 dropped 59 Contains functionality to bypass UAC (CMSTPLUA) 7->59 18 PMRunner64.exe 2 1 7->18         started        22 cmd.exe 3 7->22         started        25 zr.exe 2 7->25         started        61 Tries to detect sandboxes / dynamic malware analysis system (registry check) 12->61 27 conhost.exe 1 16->27         started        file5 signatures6 process7 dnsIp8 41 110.92.66.246, 13527, 49744, 49745 HKKFGL-AS-APHKKwaifongGroupLimitedHK Hong Kong 18->41 57 Tries to detect sandboxes / dynamic malware analysis system (registry check) 18->57 33 C:\ProgramData\Microsoft\zr.exe, PE32 22->33 dropped 29 conhost.exe 22->29         started        31 conhost.exe 1 25->31         started        file9 signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
40.126.31.135
unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
204.79.197.200
unknown United States
8068 MICROSOFT-CORP-MSN-AS-BLOCKUS false
110.92.66.246
unknown Hong Kong
133115 HKKFGL-AS-APHKKwaifongGroupLimitedHK true

Private

IP
192.168.2.1
192.168.2.4

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://110.92.66.246:13527/\ true
    unknown