Windows Analysis Report
H1pXo79CPd

Overview

General Information

Sample name:	H1pXo79CPd renamed because original name is a hash value
Original sample name:	21716bb1c51f01b8ed87151fe565c1d20e837a7a2121567db7915d7f8f6e633d
Analysis ID:	1524372
MD5:	cfdf53f247859f70b66c15ad037463d6
SHA1:	bf644a6a32b9eb6dda2e55119af2692d51421e57
SHA256:	21716bb1c51f01b8ed87151fe565c1d20e837a7a2121567db7915d7f8f6e633d
Infos:

Detection

GhostRat

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected GhostRat

Allocates memory in foreign processes

Drops executables to the windows directory (C:\Windows) and starts them

Writes to foreign memory regions

Checks for available system drives (often done to infect USB drives)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Creates COM task schedule object (often to register a task for autostart)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Installs a global mouse hook

One or more processes crash

Queries information about the installed CPU (vendor, model number etc)

Uses 32bit PE files

Classification

Signatures

AV Detection

Antivirus detection for dropped file

Source: C:\Recovery\nw_elf.dll	Avira: detection malicious, Label: TR/Crypt.Agent.tfakp
Source: C:\Recovery\nw_elf.dll	Avira: detection malicious, Label: TR/Crypt.Agent.avqrq
Source: C:\Recovery\nw_elf.dll	Avira: detection malicious, Label: TR/Crypt.Agent.tfakp
Source: C:\Recovery\nw_elf.dll	Avira: detection malicious, Label: TR/Crypt.Agent.avqrq

Multi AV Scanner detection for dropped file

Source: C:\Recovery\nw_elf.dll	ReversingLabs: Detection: 37%
Source: C:\Windows\nw_elf.dll	ReversingLabs: Detection: 58%

Multi AV Scanner detection for submitted file

Source: H1pXo79CPd

ReversingLabs: Detection: 75%

Uses 32bit PE files

Source: H1pXo79CPd

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: H1pXo79CPd

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\ClientDaemon.exe	File opened: z:
Source: C:\Windows\ClientDaemon.exe	File opened: x:
Source: C:\Windows\ClientDaemon.exe	File opened: v:
Source: C:\Windows\ClientDaemon.exe	File opened: t:
Source: C:\Windows\ClientDaemon.exe	File opened: r:
Source: C:\Windows\ClientDaemon.exe	File opened: p:
Source: C:\Windows\ClientDaemon.exe	File opened: n:
Source: C:\Windows\ClientDaemon.exe	File opened: l:
Source: C:\Windows\ClientDaemon.exe	File opened: j:
Source: C:\Windows\ClientDaemon.exe	File opened: h:
Source: C:\Windows\ClientDaemon.exe	File opened: f:
Source: C:\Windows\ClientDaemon.exe	File opened: b:
Source: C:\Windows\ClientDaemon.exe	File opened: y:
Source: C:\Windows\ClientDaemon.exe	File opened: w:
Source: C:\Windows\ClientDaemon.exe	File opened: u:
Source: C:\Windows\ClientDaemon.exe	File opened: s:
Source: C:\Windows\ClientDaemon.exe	File opened: q:
Source: C:\Windows\ClientDaemon.exe	File opened: o:
Source: C:\Windows\ClientDaemon.exe	File opened: m:
Source: C:\Windows\ClientDaemon.exe	File opened: k:
Source: C:\Windows\ClientDaemon.exe	File opened: i:
Source: C:\Windows\ClientDaemon.exe	File opened: g:
Source: C:\Windows\ClientDaemon.exe	File opened: e:
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: c:
Source: C:\Windows\ClientDaemon.exe	File opened: [:

Creates COM task schedule object (often to register a task for autostart)

Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.16:49705 -> 111.67.195.167:8085
Source: global traffic	TCP traffic: 192.168.2.16:49711 -> 103.118.253.78:8099

Source: unknown	TCP traffic detected without corresponding DNS query: 111.67.195.167
Source: unknown	TCP traffic detected without corresponding DNS query: 111.67.195.167
Source: unknown	TCP traffic detected without corresponding DNS query: 111.67.195.167
Source: unknown	UDP traffic detected without corresponding DNS query: 111.67.195.167
Source: unknown	UDP traffic detected without corresponding DNS query: 111.67.195.167
Source: unknown	UDP traffic detected without corresponding DNS query: 111.67.195.167
Source: unknown	UDP traffic detected without corresponding DNS query: 111.67.195.167
Source: unknown	UDP traffic detected without corresponding DNS query: 111.67.195.167
Source: unknown	UDP traffic detected without corresponding DNS query: 111.67.195.167
Source: unknown	UDP traffic detected without corresponding DNS query: 111.67.195.167
Source: unknown	UDP traffic detected without corresponding DNS query: 111.67.195.167
Source: unknown	UDP traffic detected without corresponding DNS query: 111.67.195.167
Source: unknown	TCP traffic detected without corresponding DNS query: 111.67.195.167
Source: unknown	UDP traffic detected without corresponding DNS query: 111.67.195.167
Source: unknown	TCP traffic detected without corresponding DNS query: 103.118.253.78
Source: unknown	TCP traffic detected without corresponding DNS query: 103.118.253.78
Source: unknown	TCP traffic detected without corresponding DNS query: 103.118.253.78

Installs a global mouse hook

Source: C:\Recovery\ClientDaemon.exe

Windows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dll

Creates files inside the system directory

Source: C:\Users\user\Desktop\H1pXo79CPd.exe	File created: c:\windows\ClientDaemon.exe
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	File created: c:\windows\nw_elf.dll

One or more processes crash

Source: C:\Recovery\ClientDaemon.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7068 -s 1220

Uses 32bit PE files

Source: H1pXo79CPd

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal84.troj.evad.win@6/11@0/39

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6372
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7068

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\44fdfb13-a9b5-418e-873b-1d695687a27c

Source: H1pXo79CPd

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\H1pXo79CPd.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: H1pXo79CPd

ReversingLabs: Detection: 75%

Source: unknown	Process created: C:\Users\user\Desktop\H1pXo79CPd.exe "C:\Users\user\Desktop\H1pXo79CPd.exe"
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Process created: C:\Recovery\ClientDaemon.exe C:\recovery\ClientDaemon.exe
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Process created: C:\Recovery\ClientDaemon.exe C:\recovery\ClientDaemon.exe
Source: C:\Recovery\ClientDaemon.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7068 -s 1220
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Process created: C:\Windows\ClientDaemon.exe C:\windows\ClientDaemon.exe
Source: C:\Windows\ClientDaemon.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6372 -s 1196

Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Section loaded: apphelp.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: nw_elf.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: winmm.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: version.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: dinput8.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: inputhost.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: coremessaging.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: propsys.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: wintypes.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: coreuicomponents.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: ntmarta.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: netapi32.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: mswsock.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: napinsp.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: pnrpnsp.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: wshbth.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: nlaapi.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: iphlpapi.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: dnsapi.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: winrnr.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: fwpuclnt.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: rasadhlp.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: ddraw.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: dxgi.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: dciman32.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: d3d10warp.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: dxcore.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: nw_elf.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: winmm.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: version.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: cryptbase.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: dinput8.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: inputhost.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: coremessaging.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: propsys.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: wintypes.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: ntmarta.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: netapi32.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: mswsock.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: napinsp.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: wshbth.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: nlaapi.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: dnsapi.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: winrnr.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: uxtheme.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: ddraw.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: dxgi.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: dciman32.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: dxcore.dll
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Section loaded: taskschd.dll
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Section loaded: xmllite.dll

Source: C:\Recovery\ClientDaemon.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7B70EE0-4340-11CF-B063-0020AFC2CD35}\InprocServer32

Source: H1pXo79CPd

Static file information: File size 5196288 > 1048576

Source: H1pXo79CPd	Static PE information: section name: RT_CURSOR
Source: H1pXo79CPd	Static PE information: section name: RT_BITMAP
Source: H1pXo79CPd	Static PE information: section name: RT_ICON
Source: H1pXo79CPd	Static PE information: section name: RT_MENU
Source: H1pXo79CPd	Static PE information: section name: RT_DIALOG
Source: H1pXo79CPd	Static PE information: section name: RT_STRING
Source: H1pXo79CPd	Static PE information: section name: RT_ACCELERATOR
Source: H1pXo79CPd	Static PE information: section name: RT_GROUP_ICON

Source: H1pXo79CPd	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x2fba00
Source: H1pXo79CPd	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1aee00

Source: H1pXo79CPd

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: H1pXo79CPd	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: H1pXo79CPd	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: H1pXo79CPd	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: H1pXo79CPd	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: H1pXo79CPd	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\Desktop\H1pXo79CPd.exe

Executable created and started: c:\windows\ClientDaemon.exe

Drops PE files

Source: C:\Users\user\Desktop\H1pXo79CPd.exe	File created: C:\Windows\ClientDaemon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	File created: C:\Recovery\nw_elf.dll	Jump to dropped file
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	File created: C:\Windows\nw_elf.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\Desktop\H1pXo79CPd.exe	File created: C:\Windows\ClientDaemon.exe			Jump to dropped file
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	File created: C:\Windows\nw_elf.dll			Jump to dropped file

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Contains capabilities to detect virtual machines

Source: C:\Windows\ClientDaemon.exe

Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc

Source: C:\Recovery\ClientDaemon.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\ClientDaemon.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\H1pXo79CPd.exe

Process information queried: ProcessInformation

Checks if the current process is being debugged

Source: C:\Recovery\ClientDaemon.exe	Process queried: DebugPort
Source: C:\Windows\ClientDaemon.exe	Process queried: DebugPort

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\H1pXo79CPd.exe

Memory allocated: C:\Windows\ClientDaemon.exe base: 47B0000 protect: page read and write

Writes to foreign memory regions

Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Memory written: C:\Windows\ClientDaemon.exe base: 47B0000
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Memory written: C:\Windows\ClientDaemon.exe base: 480E2D8
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Memory written: C:\Windows\ClientDaemon.exe base: 480F1E8

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Recovery\ClientDaemon.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\ClientDaemon.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Stealing of Sensitive Information

Yara detected GhostRat

Source: Yara match

File source: 00000003.00000002.1411391226.0000000006480000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected GhostRat

Source: Yara match

File source: 00000003.00000002.1411391226.0000000006480000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
103.118.253.78	unknown	China	55933	CLOUDIE-AS-APCloudieLimitedHK	false
20.42.73.29	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
20.42.65.92	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
111.67.195.167	unknown	China	4808	CHINA169-BJChinaUnicomBeijingProvinceNetworkCN	false

AV Detection

Antivirus detection for dropped file

Source: C:\Recovery\nw_elf.dll	Avira: detection malicious, Label: TR/Crypt.Agent.tfakp
Source: C:\Recovery\nw_elf.dll	Avira: detection malicious, Label: TR/Crypt.Agent.avqrq
Source: C:\Recovery\nw_elf.dll	Avira: detection malicious, Label: TR/Crypt.Agent.tfakp
Source: C:\Recovery\nw_elf.dll	Avira: detection malicious, Label: TR/Crypt.Agent.avqrq

Multi AV Scanner detection for dropped file

Source: C:\Recovery\nw_elf.dll	ReversingLabs: Detection: 37%
Source: C:\Windows\nw_elf.dll	ReversingLabs: Detection: 58%

Multi AV Scanner detection for submitted file

Source: H1pXo79CPd

ReversingLabs: Detection: 75%

Uses 32bit PE files

Source: H1pXo79CPd

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: H1pXo79CPd

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\ClientDaemon.exe	File opened: z:
Source: C:\Windows\ClientDaemon.exe	File opened: x:
Source: C:\Windows\ClientDaemon.exe	File opened: v:
Source: C:\Windows\ClientDaemon.exe	File opened: t:
Source: C:\Windows\ClientDaemon.exe	File opened: r:
Source: C:\Windows\ClientDaemon.exe	File opened: p:
Source: C:\Windows\ClientDaemon.exe	File opened: n:
Source: C:\Windows\ClientDaemon.exe	File opened: l:
Source: C:\Windows\ClientDaemon.exe	File opened: j:
Source: C:\Windows\ClientDaemon.exe	File opened: h:
Source: C:\Windows\ClientDaemon.exe	File opened: f:
Source: C:\Windows\ClientDaemon.exe	File opened: b:
Source: C:\Windows\ClientDaemon.exe	File opened: y:
Source: C:\Windows\ClientDaemon.exe	File opened: w:
Source: C:\Windows\ClientDaemon.exe	File opened: u:
Source: C:\Windows\ClientDaemon.exe	File opened: s:
Source: C:\Windows\ClientDaemon.exe	File opened: q:
Source: C:\Windows\ClientDaemon.exe	File opened: o:
Source: C:\Windows\ClientDaemon.exe	File opened: m:
Source: C:\Windows\ClientDaemon.exe	File opened: k:
Source: C:\Windows\ClientDaemon.exe	File opened: i:
Source: C:\Windows\ClientDaemon.exe	File opened: g:
Source: C:\Windows\ClientDaemon.exe	File opened: e:
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: c:
Source: C:\Windows\ClientDaemon.exe	File opened: [:

Creates COM task schedule object (often to register a task for autostart)

Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.16:49705 -> 111.67.195.167:8085
Source: global traffic	TCP traffic: 192.168.2.16:49711 -> 103.118.253.78:8099

Source: unknown	TCP traffic detected without corresponding DNS query: 111.67.195.167
Source: unknown	TCP traffic detected without corresponding DNS query: 111.67.195.167
Source: unknown	TCP traffic detected without corresponding DNS query: 111.67.195.167
Source: unknown	UDP traffic detected without corresponding DNS query: 111.67.195.167
Source: unknown	UDP traffic detected without corresponding DNS query: 111.67.195.167
Source: unknown	UDP traffic detected without corresponding DNS query: 111.67.195.167
Source: unknown	UDP traffic detected without corresponding DNS query: 111.67.195.167
Source: unknown	UDP traffic detected without corresponding DNS query: 111.67.195.167
Source: unknown	UDP traffic detected without corresponding DNS query: 111.67.195.167
Source: unknown	UDP traffic detected without corresponding DNS query: 111.67.195.167
Source: unknown	UDP traffic detected without corresponding DNS query: 111.67.195.167
Source: unknown	UDP traffic detected without corresponding DNS query: 111.67.195.167
Source: unknown	TCP traffic detected without corresponding DNS query: 111.67.195.167
Source: unknown	UDP traffic detected without corresponding DNS query: 111.67.195.167
Source: unknown	TCP traffic detected without corresponding DNS query: 103.118.253.78
Source: unknown	TCP traffic detected without corresponding DNS query: 103.118.253.78
Source: unknown	TCP traffic detected without corresponding DNS query: 103.118.253.78

Installs a global mouse hook

Source: C:\Recovery\ClientDaemon.exe

Windows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dll

Creates files inside the system directory

Source: C:\Users\user\Desktop\H1pXo79CPd.exe	File created: c:\windows\ClientDaemon.exe
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	File created: c:\windows\nw_elf.dll

One or more processes crash

Source: C:\Recovery\ClientDaemon.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7068 -s 1220

Uses 32bit PE files

Source: H1pXo79CPd

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal84.troj.evad.win@6/11@0/39

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6372
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7068

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\44fdfb13-a9b5-418e-873b-1d695687a27c

Source: H1pXo79CPd

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\H1pXo79CPd.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: H1pXo79CPd

ReversingLabs: Detection: 75%

Source: unknown	Process created: C:\Users\user\Desktop\H1pXo79CPd.exe "C:\Users\user\Desktop\H1pXo79CPd.exe"
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Process created: C:\Recovery\ClientDaemon.exe C:\recovery\ClientDaemon.exe
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Process created: C:\Recovery\ClientDaemon.exe C:\recovery\ClientDaemon.exe
Source: C:\Recovery\ClientDaemon.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7068 -s 1220
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Process created: C:\Windows\ClientDaemon.exe C:\windows\ClientDaemon.exe
Source: C:\Windows\ClientDaemon.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6372 -s 1196

Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Section loaded: apphelp.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: nw_elf.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: winmm.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: version.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: dinput8.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: inputhost.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: coremessaging.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: propsys.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: wintypes.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: coreuicomponents.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: ntmarta.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: netapi32.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: mswsock.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: napinsp.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: pnrpnsp.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: wshbth.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: nlaapi.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: iphlpapi.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: dnsapi.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: winrnr.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: fwpuclnt.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: rasadhlp.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: ddraw.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: dxgi.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: dciman32.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: d3d10warp.dll
Source: C:\Recovery\ClientDaemon.exe	Section loaded: dxcore.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: nw_elf.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: winmm.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: version.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: cryptbase.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: dinput8.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: inputhost.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: coremessaging.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: propsys.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: wintypes.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: ntmarta.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: netapi32.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: mswsock.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: napinsp.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: wshbth.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: nlaapi.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: dnsapi.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: winrnr.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: uxtheme.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: ddraw.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: dxgi.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: dciman32.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\ClientDaemon.exe	Section loaded: dxcore.dll
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Section loaded: taskschd.dll
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Section loaded: xmllite.dll

Source: C:\Recovery\ClientDaemon.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7B70EE0-4340-11CF-B063-0020AFC2CD35}\InprocServer32

Source: H1pXo79CPd

Static file information: File size 5196288 > 1048576

Source: H1pXo79CPd	Static PE information: section name: RT_CURSOR
Source: H1pXo79CPd	Static PE information: section name: RT_BITMAP
Source: H1pXo79CPd	Static PE information: section name: RT_ICON
Source: H1pXo79CPd	Static PE information: section name: RT_MENU
Source: H1pXo79CPd	Static PE information: section name: RT_DIALOG
Source: H1pXo79CPd	Static PE information: section name: RT_STRING
Source: H1pXo79CPd	Static PE information: section name: RT_ACCELERATOR
Source: H1pXo79CPd	Static PE information: section name: RT_GROUP_ICON

Source: H1pXo79CPd	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x2fba00
Source: H1pXo79CPd	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1aee00

Source: H1pXo79CPd

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: H1pXo79CPd	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: H1pXo79CPd	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: H1pXo79CPd	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: H1pXo79CPd	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: H1pXo79CPd	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\Desktop\H1pXo79CPd.exe

Executable created and started: c:\windows\ClientDaemon.exe

Drops PE files

Source: C:\Users\user\Desktop\H1pXo79CPd.exe	File created: C:\Windows\ClientDaemon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	File created: C:\Recovery\nw_elf.dll	Jump to dropped file
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	File created: C:\Windows\nw_elf.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\Desktop\H1pXo79CPd.exe	File created: C:\Windows\ClientDaemon.exe			Jump to dropped file
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	File created: C:\Windows\nw_elf.dll			Jump to dropped file

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Contains capabilities to detect virtual machines

Source: C:\Windows\ClientDaemon.exe

Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc

Source: C:\Recovery\ClientDaemon.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\ClientDaemon.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\H1pXo79CPd.exe

Process information queried: ProcessInformation

Checks if the current process is being debugged

Source: C:\Recovery\ClientDaemon.exe	Process queried: DebugPort
Source: C:\Windows\ClientDaemon.exe	Process queried: DebugPort

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\H1pXo79CPd.exe

Memory allocated: C:\Windows\ClientDaemon.exe base: 47B0000 protect: page read and write

Writes to foreign memory regions

Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Memory written: C:\Windows\ClientDaemon.exe base: 47B0000
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Memory written: C:\Windows\ClientDaemon.exe base: 480E2D8
Source: C:\Users\user\Desktop\H1pXo79CPd.exe	Memory written: C:\Windows\ClientDaemon.exe base: 480F1E8

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Recovery\ClientDaemon.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\ClientDaemon.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Stealing of Sensitive Information

Yara detected GhostRat

Source: Yara match

File source: 00000003.00000002.1411391226.0000000006480000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected GhostRat

Source: Yara match

File source: 00000003.00000002.1411391226.0000000006480000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

ID:	1524372
Product:	CloudBasic
Start time:	17:53:27
Start date:	02.10.2024
Sample:	H1pXo79CPd
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	cfdf53f247859f70b66c15ad037463d6
SHA1:	bf644a6a32b9eb6dda2e55119af2692d51421e57
SHA256:	21716bb1c51f01b8ed87151fe565c1d20e837a7a2121567db7915d7f8f6e633d
Filetype:	Win32 Executable (generic) a (10002005/4) 99.53%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ClientDaemon.exe_ba598b36f84f8d89f975d848c6abb9337824ed7_02b26f1f_7d3f8875-b0d3-4246-a4b5-06fd93ba1207\Report.wer	TeX document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	0CD620B7555C26384D8F4DD6DB6CFBF0	80EDBA3254829C07EDEC51F913F73D4425CBEE5B	025CC9985079D3F54D126C9AA1944DF054128B1A90968EECBB6CB851EA61EFA6
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ClientDaemon.exe_ba598b36f84f8d89f975d848c6abb9337824ed7_02b26f1f_eb20255e-ed09-4b2c-a804-77ad66051d32\Report.wer	TeX document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	9F71F0509E635E91B2D077F9D37A85E2	B67210DA12A0F6BBCF451505BAF716CFE225C20D	5C420113B0BFDF214CF3F256C59B8845FD350DF6122E45694F5E202F4FF1FA2A
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6B17.tmp.dmp	Mini DuMP crash report, 15 streams, Wed Oct 2 15:54:13 2024, 0x1205a4 type	1601616054A605FA804CB1EAE200DB07	189D21BD6F56BFAFDAA60E79FA6168F761AAF4CE	37A4B812CAAF0DB07D890F6665FB78E83A33424D6F740B38FE08F44DFEC4D286
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6BF2.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	C3AAF5714F9FB5EB780780711716F967	A2CB0B061656C07CCD0BDB7D7EBCDF0D40BFE712	791C5856DF1E96F798FBC6FD113559AD814DA2769D7E12E4BF9E2FD5E422799F
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6C51.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	3A3AD490BD06D3B095BC36D61CC1DE80	CF449DD335A4D0D32CCDF7B7E401E546835DCBDE	09CEE767A6F48B4689F9755F3B899729E2D5D62CD89BCEE855E2BF3540896288
C:\Recovery\cb.txt	data	68D3C2F7F4DE4284A982E5395DC5DECC	99F91E6F659314E3A7DF65D51CA20F7CEA48FA93	F06F63BC2E0A043947CA0D67631A001220A6365FD25E2DE5E3E1D85DE7B1F45C
C:\Recovery\cd.txt	data	3E67E6A1B9023FCC3652C8B20577823F	A380E91ECA05E85C465A3E20174F9C3683D87629	79713F9C82E674C41CA8C20248DBF607F8414548BA742FEB948A92EEEA427D49
C:\Recovery\nw_elf.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C66D17A8A5FFDCF6575379CE31B8146C	7759E349ABA141B44B80125F5DE697169BA357FE	918704A5CCBF0FD0509FF3B42AAE3C71419DFB016523B6860B65A2B01FAD3422
C:\Windows\ClientDaemon.exe	PE32 executable (GUI) Intel 80386, for MS Windows	C654F1460F961FA85843230281FC0AB0	A0068BA05DD836A0696B392EE1D6AB896C26E1E9	10A4CEF987F11011694BFB6362FE48C365826F913B172B3586FAEB2F4F27CA17
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	D1E902A1546D21136E17D10FF84E7241	9B05BB27A92E31CCAD1FF032A7D73855F4211A95	CF1842F8DEFB24F307938808B2BD156ED04F8201B60D6581DEE5CEFEDC7CB2B1
C:\Windows\nw_elf.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	47E66F738A339726FC23615F3B4A6466	91D4ECE7F5D11C17DCE0373CD86E9939F1CA40F1	F9067342A86BB4564D65162C7D1B0C8FDCCDE5518925CEF92539AA2B07131171

Windows Analysis Report
H1pXo79CPd

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Windows Analysis Report H1pXo79CPd

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Windows Analysis Report
H1pXo79CPd