Windows Analysis Report test.exe

Submitted sample is a known malware sample

Source: test.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_00401466 FindFirstFileW,FindClose,	2_2_00401466
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_00404D6B FindFirstFileW,FindClose,	2_2_00404D6B
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_004012A4 FindFirstFileW,FindClose,	11_2_004012A4
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_004034D3 FindFirstFileW,FindClose,	11_2_004034D3
Source: C:\Windows\SysWOW64\mscaps.exe	Code function: 15_2_00403177 DeleteFileA,FindFirstFileA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	15_2_00403177

Source: test.exe.1.dr

String found in binary or memory: https://github.com/Denvi/Candle/

System Summary

Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Dropped file: MD5: fffa05401511ad2a89283c52d0c86472 Family: Lazarus Group Alias: Operation DarkSeoul, Dark Seoul, Hidden Cobra, Hastati Group, Andariel Group, Unit 121, Bureau 121, NewRomanic Cyber Army Team, Bluenoroff, Group 77, Labyrinth Chollima, Operation Troy, Operation GhostSecret, Guardians of Peace, ZINC, NICKEL ACADEMY, APT-C-26, Silent Chollima, Lazarus Group Description: Lazarus Group, active since at least 2009, is an APT group that has been attributed to the North Korean. There are lots of campaigns connected, including Operation Blockbuster, Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, Ten Days of Rain, etc.In November 2014, it carried out destructive wiping attack against Sony Pictures Entertainment. In 2016, it attacked Bangladesh central banks and stole US$81 million. In the middle of 2017, the WannaCry malware which leverages the leaked EternalBlue exploits affected as many as 300,000 computers worldwide. References: Data Source: https://github.com/RedDrip7/APT_Digital_Weapon
Source: C:\Users\user\AppData\Local\Temp\wtmps.exe	Dropped file: MD5: 78d3c8705f8baf7d34e6a6737d1cfa18 Family: Lazarus Group Alias: Operation DarkSeoul, Dark Seoul, Hidden Cobra, Hastati Group, Andariel Group, Unit 121, Bureau 121, NewRomanic Cyber Army Team, Bluenoroff, Group 77, Labyrinth Chollima, Operation Troy, Operation GhostSecret, Guardians of Peace, ZINC, NICKEL ACADEMY, APT-C-26, Silent Chollima, Lazarus Group Description: Lazarus Group, active since at least 2009, is an APT group that has been attributed to the North Korean. There are lots of campaigns connected, including Operation Blockbuster, Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, Ten Days of Rain, etc.In November 2014, it carried out destructive wiping attack against Sony Pictures Entertainment. In 2016, it attacked Bangladesh central banks and stole US$81 million. In the middle of 2017, the WannaCry malware which leverages the leaked EternalBlue exploits affected as many as 300,000 computers worldwide. References: Data Source: https://github.com/RedDrip7/APT_Digital_Weapon

Creates files inside the system directory

Source: C:\Users\user\AppData\Local\Temp\wtmps.exe

File created: C:\Windows\SysWOW64\mscaps.exe

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_00404069	2_2_00404069
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_0040A8DB	2_2_0040A8DB
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_00406550	2_2_00406550
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_0040B965	2_2_0040B965
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_00403D17	2_2_00403D17
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_004035D5	2_2_004035D5
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_004039DA	2_2_004039DA
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_004159BF	2_2_004159BF
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_0040866E	2_2_0040866E
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_00407E7F	2_2_00407E7F
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_0040AECE	2_2_0040AECE
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_004042F0	2_2_004042F0
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_00410334	2_2_00410334
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_0040A3BD	2_2_0040A3BD
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_1000A69F	2_2_1000A69F
Source: C:\Users\user\Desktop\test.exe	Code function: 3_2_00407753	3_2_00407753
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Code function: 8_2_1000A69F	8_2_1000A69F
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_0040247F	11_2_0040247F
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_004074EC	11_2_004074EC
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_00402142	11_2_00402142
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_00401D3D	11_2_00401D3D
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_0040C1C4	11_2_0040C1C4
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_00404DCD	11_2_00404DCD
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_004055BC	11_2_004055BC
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_00402A58	11_2_00402A58
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_00407A68	11_2_00407A68
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_00406FCE	11_2_00406FCE
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_004027D1	11_2_004027D1
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_0040FF99	11_2_0040FF99
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_1000A69F	11_2_1000A69F
Source: C:\Users\user\AppData\Local\Temp\wtmps.exe	Code function: 14_2_00407F2C	14_2_00407F2C
Source: C:\Users\user\AppData\Local\Temp\wtmps.exe	Code function: 14_2_004015A0	14_2_004015A0
Source: C:\Windows\SysWOW64\mscaps.exe	Code function: 15_2_00401F70	15_2_00401F70
Source: C:\Windows\SysWOW64\mscaps.exe	Code function: 15_2_0040A13C	15_2_0040A13C
Source: C:\Windows\SysWOW64\mscaps.exe	Code function: 15_2_004071EE	15_2_004071EE

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\wtmps.exe 3B20C853D4CA23240CD338B8CAB16F1027C540DDFE9C4FFDCA1624D2F923B373

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\test.exe	Code function: String function: 00472F40 appears 478 times
Source: C:\Users\user\Desktop\test.exe	Code function: String function: 00452670 appears 83 times
Source: C:\Users\user\Desktop\test.exe	Code function: String function: 00471AA0 appears 51 times

Sample file is different than original file name gathered from version info

Source: test.exe, 00000000.00000000.1700270642.00000000004BE000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCandle.exe. vs test.exe
Source: test.exe, 00000003.00000000.1705827339.00000000004BE000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCandle.exe. vs test.exe
Source: test.exe	Binary or memory string: OriginalFilenameCandle.exe. vs test.exe
Source: test.exe	Binary or memory string: OriginalFilenameWdExt.exe vs test.exe
Source: test.exe.1.dr	Binary or memory string: OriginalFilenameCandle.exe. vs test.exe

Source: test.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.evad.winEXE@35/29@0/0

Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe

Code function: 2_2_1000180D CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,GetCurrentThreadId,OpenThread,ResumeThread,CloseHandle,Thread32Next,CloseHandle,

Source: C:\Users\user\AppData\Local\Temp\wtmps.exe

Code function: 14_2_00401080 LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FindResourceA,LoadResource,LockResource,GetModuleFileNameA,CopyFileA,ExitProcess,RegCreateKeyExA,RegOpenKeyExA,RegQueryValueExA,RegSetValueExA,RegCloseKey,BeginUpdateResourceA,UpdateResourceA,EndUpdateResourceA,

Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Messenger

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:428:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2084:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7124:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4564:120:WilError_03

Source: C:\Windows\SysWOW64\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp

Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\user0.bat" "

Source: C:\Users\user\Desktop\test.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\test.exe	Process created: C:\Windows\SysWOW64\explorer.exe			Jump to behavior

Source: test.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\explorer.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Desktop\test.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: test.exe

String found in binary or memory: Dlibgcc_s_dw2-1.dll__register_frame_infolibgcj-13.dll_Jv_RegisterClasses__deregister_frame_info/translations/_.qmdefaultlocale:qt_1.1.7QWidget {font-size: 8pt}Operation was cancelled by userSpindle (%1).txt.nc.ncc.ngc.tap.mapCheckScrollAutoscrollCheck modeGC:|\[|\]|G[01234]\s|M[0345]+\s|\sF[\d\.]+|\sS[\d\.]+overrided!~^GRBL|GCARVIN\s\d\.\d.Overriding- (%1/%2/%3) (%1/%2)CJogdefaultupdating border drawerCandlefrmMain&OpenE&xit&Settings&New&SaveSave &as...&About&ClearSave &transformed as...G-code programIsometric viewTop viewFront viewLeft viewFitHeightmap settingsBorder:X:H:Y:W:Show borderAutoProbe grid:Zb:Zt:Show gridInterpolation grid:Type:BicubicShowOpenResetSendPauseAbortStateWork coordinates:X0YZMachine coordinates:Status:statusControlHome...Z-probeZero XYZero ZRestore originSafe positionUnlockUser commandsSpindle on/offHeightmapUse heightmapMap:AbsentCreateEdit modeX-Y-X+Y+Z+Z-Stop10010510.10.01ContinuouslyStep:Feed:2000100050050Keyboard controlConsoleSend commandClear console&File&Recent files&Service&Help/*QWidget {

Source: C:\Users\user\Desktop\test.exe

File read: C:\Users\user\Desktop\test.exe

Source: unknown	Process created: C:\Users\user\Desktop\test.exe "C:\Users\user\Desktop\test.exe"
Source: C:\Users\user\Desktop\test.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe "C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe"
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Users\user\Desktop\test.exe "C:\Users\user\Desktop\test.exe"
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\user0.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\user1.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe "C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\user1.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe "C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe" /i 6788
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\user2.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\wtmps.exe "C:\Users\user\AppData\Local\Temp\wtmps.exe"
Source: C:\Users\user\AppData\Local\Temp\wtmps.exe	Process created: C:\Windows\SysWOW64\mscaps.exe "C:\Windows\system32\mscaps.exe" /C:\Users\user\AppData\Local\Temp\wtmps.exe
Source: C:\Users\user\Desktop\test.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe "C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Users\user\Desktop\test.exe "C:\Users\user\Desktop\test.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\user0.bat" "	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\user1.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe "C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\user1.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe "C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe" /i 6788
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\user2.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\wtmps.exe "C:\Users\user\AppData\Local\Temp\wtmps.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wtmps.exe	Process created: C:\Windows\SysWOW64\mscaps.exe "C:\Windows\system32\mscaps.exe" /C:\Users\user\AppData\Local\Temp\wtmps.exe

Source: C:\Users\user\Desktop\test.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: qt5gui.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: qt5opengl.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: qt5serialport.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: qt5widgets.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: qt5winextras.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: libgcc_s_dw2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: libstdc++-6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wtmps.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\wtmps.exe	Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Temp\wtmps.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\wtmps.exe	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\wtmps.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\wtmps.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\wtmps.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\mscaps.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\mscaps.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\mscaps.exe	Section loaded: dhcpcsvc.dll

Source: C:\Windows\SysWOW64\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Contains functionality to dynamically determine API calls

Source: test.exe

Static file information: File size 2614323 > 1048576

Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe

Code function: 2_2_00402056 __EH_prolog,GetComputerNameW,GetUserNameW,GetSystemDefaultLangID,GetAdaptersInfo,GetAdaptersInfo,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,LoadLibraryA,GetProcAddress,InternetGetConnectedState,FreeLibrary,GetTempPathW,GetTempFileNameW,GetTempFileNameW,GetTempFileNameW,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

PE file contains sections with non-standard names

Source: test.exe.1.dr

Static PE information: section name: .eh_fram

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_00401650 push eax; ret	0_2_0040167E
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_0040C8A0 push eax; ret	2_2_0040C8BE
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_0040D510 push eax; ret	2_2_0040D53E
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_10005978 push eax; ret	2_2_10005996
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_10005380 push eax; ret	2_2_100053AE
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Code function: 8_2_10005978 push eax; ret	8_2_10005996
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Code function: 8_2_10005380 push eax; ret	8_2_100053AE
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_00408950 push eax; ret	11_2_0040896E
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_00409E10 push eax; ret	11_2_00409E3E
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_10005978 push eax; ret	11_2_10005996
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_10005380 push eax; ret	11_2_100053AE
Source: C:\Users\user\AppData\Local\Temp\wtmps.exe	Code function: 14_2_004026D0 push eax; ret	14_2_004026FE
Source: C:\Windows\SysWOW64\mscaps.exe	Code function: 15_2_00403090 push eax; ret	15_2_004030BE

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\AppData\Local\Temp\wtmps.exe

Executable created and started: C:\Windows\SysWOW64\mscaps.exe

Drops PE files

Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Identities\user\arc.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Common\Shared\dis.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Repairs\sha.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Addins\att.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Shared\Modules\fil.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	File created: C:\Users\user\AppData\Local\Temp\wtmps.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Caches\Files\usd.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\wtmps.exe	File created: C:\Windows\SysWOW64\mscaps.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe	File created: C:\Users\user\Desktop\test.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\AppData\Local\Temp\wtmps.exe

File created: C:\Windows\SysWOW64\mscaps.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\mscaps.exe

Code function: 15_2_00401D10 GetTempPathA,GetTempFileNameA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,DeleteFileA,

15_2_00401D10

Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Defender Extension			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Defender Extension			Jump to behavior

Hooking and other Techniques for Hiding and Protection

DLL reload attack detected

Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Module Loaded: Original DLL: C:\USERS\user\APPDATA\ROAMING\TEMP\MYDLL.DLL reload: C:\WINDOWS\SYSWOW64\WS2_32.DLL
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Module Loaded: Original DLL: C:\USERS\user\APPDATA\ROAMING\TEMP\MYDLL.DLL reload: C:\WINDOWS\SYSWOW64\WS2_32.DLL

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\wtmps.exe

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\test.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\AppData\Local\Temp\wtmps.exe

Stalling execution: Execution stalls by calling Sleep

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe

Code function: 2_2_1000180D CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,GetCurrentThreadId,OpenThread,ResumeThread,CloseHandle,Thread32Next,CloseHandle,

Contains functionality to query network adapater information

Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: __EH_prolog,GetComputerNameW,GetUserNameW,GetSystemDefaultLangID,GetAdaptersInfo,GetAdaptersInfo,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,LoadLibraryA,GetProcAddress,InternetGetConnectedState,FreeLibrary,GetTempPathW,GetTempFileNameW,GetTempFileNameW,GetTempFileNameW,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,	2_2_00402056
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,inet_addr,inet_addr,	2_2_00401CB0
Source: C:\Users\user\AppData\Local\Temp\wtmps.exe	Code function: GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,GetProcessHeap,HeapFree,	14_2_00401D20
Source: C:\Windows\SysWOW64\mscaps.exe	Code function: GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,GetProcessHeap,HeapFree,	15_2_00402600

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Identities\user\arc.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Common\Shared\dis.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Repairs\sha.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Shared\Modules\fil.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Windows\Addins\att.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Caches\Files\usd.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe TID: 6784

Thread sleep time: -120000s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_00401466 FindFirstFileW,FindClose,	2_2_00401466
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_00404D6B FindFirstFileW,FindClose,	2_2_00404D6B
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_004012A4 FindFirstFileW,FindClose,	11_2_004012A4
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_004034D3 FindFirstFileW,FindClose,	11_2_004034D3
Source: C:\Windows\SysWOW64\mscaps.exe	Code function: 15_2_00403177 DeleteFileA,FindFirstFileA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	15_2_00403177

Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe

Code function: 2_2_0040318C GetVersionExW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,GetModuleHandleW,GetProcAddress,GetSystemMetrics,

Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe

Thread delayed: delay time: 120000

Source: WdExt.exe, 00000008.00000002.1776161415.0000000000650000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: @AE2AF6.tmp.exe, 00000002.00000002.1732872130.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, @AE2AF6.tmp.exe, 00000002.00000002.1732872130.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, WdExt.exe, 00000008.00000002.1776161415.000000000061E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\wtmps.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\mscaps.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe

Process information queried: ProcessInformation

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe

Code function: 2_2_1000180D CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,GetCurrentThreadId,OpenThread,ResumeThread,CloseHandle,Thread32Next,CloseHandle,

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe

Code function: 2_2_00404732 VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualAlloc,VirtualAlloc,

2_2_00404732

Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_00411746 SetUnhandledExceptionFilter,	2_2_00411746
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_00411758 SetUnhandledExceptionFilter,	2_2_00411758
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_1000BA64 SetUnhandledExceptionFilter,	2_2_1000BA64
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_1000BA76 SetUnhandledExceptionFilter,	2_2_1000BA76
Source: C:\Users\user\Desktop\test.exe	Code function: 3_2_00401179 Sleep,Sleep,SetUnhandledExceptionFilter,_acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,GetStartupInfoA,_initterm,exit,	3_2_00401179
Source: C:\Users\user\Desktop\test.exe	Code function: 3_2_00451880 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	3_2_00451880
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Code function: 8_2_1000BA64 SetUnhandledExceptionFilter,	8_2_1000BA64
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Code function: 8_2_1000BA76 SetUnhandledExceptionFilter,	8_2_1000BA76
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_0040C6A6 SetUnhandledExceptionFilter,	11_2_0040C6A6
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_0040C6B8 SetUnhandledExceptionFilter,	11_2_0040C6B8
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_1000BA64 SetUnhandledExceptionFilter,	11_2_1000BA64
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_1000BA76 SetUnhandledExceptionFilter,	11_2_1000BA76
Source: C:\Users\user\AppData\Local\Temp\wtmps.exe	Code function: 14_2_00406250 SetUnhandledExceptionFilter,	14_2_00406250
Source: C:\Users\user\AppData\Local\Temp\wtmps.exe	Code function: 14_2_0040623E SetUnhandledExceptionFilter,	14_2_0040623E
Source: C:\Users\user\AppData\Local\Temp\wtmps.exe	Code function: 14_2_00401AD0 SetUnhandledExceptionFilter,	14_2_00401AD0
Source: C:\Windows\SysWOW64\mscaps.exe	Code function: 15_2_00408007 SetUnhandledExceptionFilter,	15_2_00408007
Source: C:\Windows\SysWOW64\mscaps.exe	Code function: 15_2_004024A0 SetUnhandledExceptionFilter,	15_2_004024A0
Source: C:\Windows\SysWOW64\mscaps.exe	Code function: 15_2_00407FF5 SetUnhandledExceptionFilter,	15_2_00407FF5

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject threads in other processes

Source: C:\Windows\SysWOW64\mscaps.exe

Code function: 15_2_00401950 DeleteFileA,OpenProcess,GetModuleHandleA,GetProcAddress,VirtualAllocEx,CloseHandle,WriteProcessMemory,CreateRemoteThread,VirtualFreeEx,Sleep,Sleep,GetExitCodeThread,CloseHandle,CloseHandle,VirtualFreeEx,CloseHandle,

15_2_00401950

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Users\user\Desktop\test.exe	Memory written: PID: 984 base: 1279C0 value: 55			Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Memory written: PID: 984 base: 127F80 value: 04			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\test.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 1279C0			Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 127F80			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\test.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe "C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Users\user\Desktop\test.exe "C:\Users\user\Desktop\test.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\user0.bat" "	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\user1.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe "C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\user1.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe "C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe" /i 6788
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\user2.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\wtmps.exe "C:\Users\user\AppData\Local\Temp\wtmps.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wtmps.exe	Process created: C:\Windows\SysWOW64\mscaps.exe "C:\Windows\system32\mscaps.exe" /C:\Users\user\AppData\Local\Temp\wtmps.exe

Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe

Code function: 2_2_0040B8D2 GetSystemTime,

2_2_0040B8D2

Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe

Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe

Code function: 2_2_00412794 InterlockedDecrement,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

2_2_00412794

Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe

Code function: 2_2_0040318C GetVersionExW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,GetModuleHandleW,GetProcAddress,GetSystemMetrics,

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\test.exe

Code function: 3_2_0043B9C0 _ZNK13QOpenGLBuffer9isCreatedEv,_ZNK24QOpenGLVertexArrayObject9isCreatedEv,_ZN13QOpenGLBuffer4bindEv,_ZN10QArrayData8allocateEjjj6QFlagsINS_16AllocationOptionEE,_ZN13QOpenGLBuffer7releaseEv,_ZN13QOpenGLBuffer8allocateEPKvi,_ZN10QArrayData10deallocateEPS_jj,_ZN13QOpenGLBuffer7releaseEv,_ZN24QOpenGLVertexArrayObject4bindEv,_ZN24QOpenGLVertexArrayObject7releaseEv,_ZN10QArrayData8allocateEjjj6QFlagsINS_16AllocationOptionEE,_ZNK20QOpenGLShaderProgram17attributeLocationEPKc,_ZN20QOpenGLShaderProgram20enableAttributeArrayEi,_ZN20QOpenGLShaderProgram18setAttributeBufferEijiii,_ZN24QOpenGLVertexArrayObject7releaseEv,_Z9qBadAllocv,_Z9qBadAllocv,

3_2_0043B9C0

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Antivirus / Scanner detection for submitted sample

Source: test.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\wtmps.exe	Avira: detection malicious, Label: TR/Rogue.kdv.685680
Source: C:\Users\user\AppData\Roaming\Microsoft\Caches\Files\usd.dll	Avira: detection malicious, Label: TR/Spy.Agent.auk
Source: C:\Windows\SysWOW64\mscaps.exe	Avira: detection malicious, Label: TR/Spy.Agent.auh
Source: C:\Users\user\AppData\Roaming\Microsoft\Shared\Modules\fil.dll	Avira: detection malicious, Label: TR/Crypt.FKM.1350
Source: C:\Users\user\AppData\Roaming\Microsoft\Repairs\sha.dll	Avira: detection malicious, Label: BDS/Fynloski.IG
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Addins\att.dll	Avira: detection malicious, Label: TR/Spy.Agent.aul
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Avira: detection malicious, Label: TR/Drop.Daws.awfy
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Avira: detection malicious, Label: TR/PSW.Agent.pzuba
Source: C:\Users\user\AppData\Roaming\Microsoft\Identities\user\arc.dll	Avira: detection malicious, Label: TR/Spy.Agent.rddod
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Avira: detection malicious, Label: BDS/Nanocore.MG
Source: C:\Users\user\AppData\Roaming\Microsoft\Common\Shared\dis.dll	Avira: detection malicious, Label: BDS/Fynloski.BA

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Temp\wtmps.exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Roaming\Microsoft\Caches\Files\usd.dll	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Roaming\Microsoft\Common\Shared\dis.dll	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Roaming\Microsoft\Identities\user\arc.dll	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Roaming\Microsoft\Repairs\sha.dll	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Roaming\Microsoft\Shared\Modules\fil.dll	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Addins\att.dll	ReversingLabs: Detection: 87%
Source: C:\Windows\SysWOW64\mscaps.exe	ReversingLabs: Detection: 100%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\wtmps.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\mscaps.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Identities\user\arc.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: test.exe

Joe Sandbox ML: detected

Submitted sample is a known malware sample

Source: test.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_00401466 FindFirstFileW,FindClose,	2_2_00401466
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_00404D6B FindFirstFileW,FindClose,	2_2_00404D6B
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_004012A4 FindFirstFileW,FindClose,	11_2_004012A4
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_004034D3 FindFirstFileW,FindClose,	11_2_004034D3
Source: C:\Windows\SysWOW64\mscaps.exe	Code function: 15_2_00403177 DeleteFileA,FindFirstFileA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	15_2_00403177

Source: test.exe.1.dr

String found in binary or memory: https://github.com/Denvi/Candle/

System Summary

Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Dropped file: MD5: fffa05401511ad2a89283c52d0c86472 Family: Lazarus Group Alias: Operation DarkSeoul, Dark Seoul, Hidden Cobra, Hastati Group, Andariel Group, Unit 121, Bureau 121, NewRomanic Cyber Army Team, Bluenoroff, Group 77, Labyrinth Chollima, Operation Troy, Operation GhostSecret, Guardians of Peace, ZINC, NICKEL ACADEMY, APT-C-26, Silent Chollima, Lazarus Group Description: Lazarus Group, active since at least 2009, is an APT group that has been attributed to the North Korean. There are lots of campaigns connected, including Operation Blockbuster, Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, Ten Days of Rain, etc.In November 2014, it carried out destructive wiping attack against Sony Pictures Entertainment. In 2016, it attacked Bangladesh central banks and stole US$81 million. In the middle of 2017, the WannaCry malware which leverages the leaked EternalBlue exploits affected as many as 300,000 computers worldwide. References: Data Source: https://github.com/RedDrip7/APT_Digital_Weapon
Source: C:\Users\user\AppData\Local\Temp\wtmps.exe	Dropped file: MD5: 78d3c8705f8baf7d34e6a6737d1cfa18 Family: Lazarus Group Alias: Operation DarkSeoul, Dark Seoul, Hidden Cobra, Hastati Group, Andariel Group, Unit 121, Bureau 121, NewRomanic Cyber Army Team, Bluenoroff, Group 77, Labyrinth Chollima, Operation Troy, Operation GhostSecret, Guardians of Peace, ZINC, NICKEL ACADEMY, APT-C-26, Silent Chollima, Lazarus Group Description: Lazarus Group, active since at least 2009, is an APT group that has been attributed to the North Korean. There are lots of campaigns connected, including Operation Blockbuster, Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, Ten Days of Rain, etc.In November 2014, it carried out destructive wiping attack against Sony Pictures Entertainment. In 2016, it attacked Bangladesh central banks and stole US$81 million. In the middle of 2017, the WannaCry malware which leverages the leaked EternalBlue exploits affected as many as 300,000 computers worldwide. References: Data Source: https://github.com/RedDrip7/APT_Digital_Weapon

Creates files inside the system directory

Source: C:\Users\user\AppData\Local\Temp\wtmps.exe

File created: C:\Windows\SysWOW64\mscaps.exe

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_00404069	2_2_00404069
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_0040A8DB	2_2_0040A8DB
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_00406550	2_2_00406550
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_0040B965	2_2_0040B965
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_00403D17	2_2_00403D17
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_004035D5	2_2_004035D5
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_004039DA	2_2_004039DA
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_004159BF	2_2_004159BF
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_0040866E	2_2_0040866E
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_00407E7F	2_2_00407E7F
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_0040AECE	2_2_0040AECE
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_004042F0	2_2_004042F0
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_00410334	2_2_00410334
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_0040A3BD	2_2_0040A3BD
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_1000A69F	2_2_1000A69F
Source: C:\Users\user\Desktop\test.exe	Code function: 3_2_00407753	3_2_00407753
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Code function: 8_2_1000A69F	8_2_1000A69F
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_0040247F	11_2_0040247F
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_004074EC	11_2_004074EC
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_00402142	11_2_00402142
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_00401D3D	11_2_00401D3D
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_0040C1C4	11_2_0040C1C4
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_00404DCD	11_2_00404DCD
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_004055BC	11_2_004055BC
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_00402A58	11_2_00402A58
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_00407A68	11_2_00407A68
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_00406FCE	11_2_00406FCE
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_004027D1	11_2_004027D1
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_0040FF99	11_2_0040FF99
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_1000A69F	11_2_1000A69F
Source: C:\Users\user\AppData\Local\Temp\wtmps.exe	Code function: 14_2_00407F2C	14_2_00407F2C
Source: C:\Users\user\AppData\Local\Temp\wtmps.exe	Code function: 14_2_004015A0	14_2_004015A0
Source: C:\Windows\SysWOW64\mscaps.exe	Code function: 15_2_00401F70	15_2_00401F70
Source: C:\Windows\SysWOW64\mscaps.exe	Code function: 15_2_0040A13C	15_2_0040A13C
Source: C:\Windows\SysWOW64\mscaps.exe	Code function: 15_2_004071EE	15_2_004071EE

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\wtmps.exe 3B20C853D4CA23240CD338B8CAB16F1027C540DDFE9C4FFDCA1624D2F923B373

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\test.exe	Code function: String function: 00472F40 appears 478 times
Source: C:\Users\user\Desktop\test.exe	Code function: String function: 00452670 appears 83 times
Source: C:\Users\user\Desktop\test.exe	Code function: String function: 00471AA0 appears 51 times

Sample file is different than original file name gathered from version info

Source: test.exe, 00000000.00000000.1700270642.00000000004BE000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCandle.exe. vs test.exe
Source: test.exe, 00000003.00000000.1705827339.00000000004BE000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCandle.exe. vs test.exe
Source: test.exe	Binary or memory string: OriginalFilenameCandle.exe. vs test.exe
Source: test.exe	Binary or memory string: OriginalFilenameWdExt.exe vs test.exe
Source: test.exe.1.dr	Binary or memory string: OriginalFilenameCandle.exe. vs test.exe

Source: test.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.evad.winEXE@35/29@0/0

Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe

Code function: 2_2_1000180D CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,GetCurrentThreadId,OpenThread,ResumeThread,CloseHandle,Thread32Next,CloseHandle,

Source: C:\Users\user\AppData\Local\Temp\wtmps.exe

Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Messenger

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:428:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2084:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7124:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4564:120:WilError_03

Source: C:\Windows\SysWOW64\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp

Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\user0.bat" "

Source: C:\Users\user\Desktop\test.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\test.exe	Process created: C:\Windows\SysWOW64\explorer.exe			Jump to behavior

Source: test.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\explorer.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Desktop\test.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: test.exe

Source: C:\Users\user\Desktop\test.exe

File read: C:\Users\user\Desktop\test.exe

Source: unknown	Process created: C:\Users\user\Desktop\test.exe "C:\Users\user\Desktop\test.exe"
Source: C:\Users\user\Desktop\test.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe "C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe"
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Users\user\Desktop\test.exe "C:\Users\user\Desktop\test.exe"
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\user0.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\user1.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe "C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\user1.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe "C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe" /i 6788
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\user2.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\wtmps.exe "C:\Users\user\AppData\Local\Temp\wtmps.exe"
Source: C:\Users\user\AppData\Local\Temp\wtmps.exe	Process created: C:\Windows\SysWOW64\mscaps.exe "C:\Windows\system32\mscaps.exe" /C:\Users\user\AppData\Local\Temp\wtmps.exe
Source: C:\Users\user\Desktop\test.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe "C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Users\user\Desktop\test.exe "C:\Users\user\Desktop\test.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\user0.bat" "	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\user1.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe "C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\user1.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe "C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe" /i 6788
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\user2.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\wtmps.exe "C:\Users\user\AppData\Local\Temp\wtmps.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wtmps.exe	Process created: C:\Windows\SysWOW64\mscaps.exe "C:\Windows\system32\mscaps.exe" /C:\Users\user\AppData\Local\Temp\wtmps.exe

Source: C:\Users\user\Desktop\test.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: qt5gui.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: qt5opengl.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: qt5serialport.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: qt5widgets.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: qt5winextras.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: libgcc_s_dw2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: libstdc++-6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wtmps.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\wtmps.exe	Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Temp\wtmps.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\wtmps.exe	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\wtmps.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\wtmps.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\wtmps.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\mscaps.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\mscaps.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\mscaps.exe	Section loaded: dhcpcsvc.dll

Source: C:\Windows\SysWOW64\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Contains functionality to dynamically determine API calls

Source: test.exe

Static file information: File size 2614323 > 1048576

Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe

PE file contains sections with non-standard names

Source: test.exe.1.dr

Static PE information: section name: .eh_fram

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_00401650 push eax; ret	0_2_0040167E
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_0040C8A0 push eax; ret	2_2_0040C8BE
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_0040D510 push eax; ret	2_2_0040D53E
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_10005978 push eax; ret	2_2_10005996
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_10005380 push eax; ret	2_2_100053AE
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Code function: 8_2_10005978 push eax; ret	8_2_10005996
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Code function: 8_2_10005380 push eax; ret	8_2_100053AE
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_00408950 push eax; ret	11_2_0040896E
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_00409E10 push eax; ret	11_2_00409E3E
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_10005978 push eax; ret	11_2_10005996
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_10005380 push eax; ret	11_2_100053AE
Source: C:\Users\user\AppData\Local\Temp\wtmps.exe	Code function: 14_2_004026D0 push eax; ret	14_2_004026FE
Source: C:\Windows\SysWOW64\mscaps.exe	Code function: 15_2_00403090 push eax; ret	15_2_004030BE

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\AppData\Local\Temp\wtmps.exe

Executable created and started: C:\Windows\SysWOW64\mscaps.exe

Drops PE files

Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Identities\user\arc.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Common\Shared\dis.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Repairs\sha.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Addins\att.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Shared\Modules\fil.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	File created: C:\Users\user\AppData\Local\Temp\wtmps.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Caches\Files\usd.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\wtmps.exe	File created: C:\Windows\SysWOW64\mscaps.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe	File created: C:\Users\user\Desktop\test.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\AppData\Local\Temp\wtmps.exe

File created: C:\Windows\SysWOW64\mscaps.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\mscaps.exe

15_2_00401D10

Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Defender Extension			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Defender Extension			Jump to behavior

Hooking and other Techniques for Hiding and Protection

DLL reload attack detected

Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Module Loaded: Original DLL: C:\USERS\user\APPDATA\ROAMING\TEMP\MYDLL.DLL reload: C:\WINDOWS\SYSWOW64\WS2_32.DLL
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Module Loaded: Original DLL: C:\USERS\user\APPDATA\ROAMING\TEMP\MYDLL.DLL reload: C:\WINDOWS\SYSWOW64\WS2_32.DLL

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\wtmps.exe

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\test.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\AppData\Local\Temp\wtmps.exe

Stalling execution: Execution stalls by calling Sleep

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe

Code function: 2_2_1000180D CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,GetCurrentThreadId,OpenThread,ResumeThread,CloseHandle,Thread32Next,CloseHandle,

Contains functionality to query network adapater information

Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: __EH_prolog,GetComputerNameW,GetUserNameW,GetSystemDefaultLangID,GetAdaptersInfo,GetAdaptersInfo,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,LoadLibraryA,GetProcAddress,InternetGetConnectedState,FreeLibrary,GetTempPathW,GetTempFileNameW,GetTempFileNameW,GetTempFileNameW,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,	2_2_00402056
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,inet_addr,inet_addr,	2_2_00401CB0
Source: C:\Users\user\AppData\Local\Temp\wtmps.exe	Code function: GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,GetProcessHeap,HeapFree,	14_2_00401D20
Source: C:\Windows\SysWOW64\mscaps.exe	Code function: GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,GetProcessHeap,HeapFree,	15_2_00402600

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Identities\user\arc.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Common\Shared\dis.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Repairs\sha.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Shared\Modules\fil.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Windows\Addins\att.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Caches\Files\usd.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe TID: 6784

Thread sleep time: -120000s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_00401466 FindFirstFileW,FindClose,	2_2_00401466
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_00404D6B FindFirstFileW,FindClose,	2_2_00404D6B
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_004012A4 FindFirstFileW,FindClose,	11_2_004012A4
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_004034D3 FindFirstFileW,FindClose,	11_2_004034D3
Source: C:\Windows\SysWOW64\mscaps.exe	Code function: 15_2_00403177 DeleteFileA,FindFirstFileA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	15_2_00403177

Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe

Code function: 2_2_0040318C GetVersionExW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,GetModuleHandleW,GetProcAddress,GetSystemMetrics,

Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe

Thread delayed: delay time: 120000

Source: WdExt.exe, 00000008.00000002.1776161415.0000000000650000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: @AE2AF6.tmp.exe, 00000002.00000002.1732872130.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, @AE2AF6.tmp.exe, 00000002.00000002.1732872130.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, WdExt.exe, 00000008.00000002.1776161415.000000000061E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\wtmps.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\mscaps.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe

Process information queried: ProcessInformation

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe

Code function: 2_2_1000180D CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,GetCurrentThreadId,OpenThread,ResumeThread,CloseHandle,Thread32Next,CloseHandle,

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe

Code function: 2_2_00404732 VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualAlloc,VirtualAlloc,

2_2_00404732

Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_00411746 SetUnhandledExceptionFilter,	2_2_00411746
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_00411758 SetUnhandledExceptionFilter,	2_2_00411758
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_1000BA64 SetUnhandledExceptionFilter,	2_2_1000BA64
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Code function: 2_2_1000BA76 SetUnhandledExceptionFilter,	2_2_1000BA76
Source: C:\Users\user\Desktop\test.exe	Code function: 3_2_00401179 Sleep,Sleep,SetUnhandledExceptionFilter,_acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,GetStartupInfoA,_initterm,exit,	3_2_00401179
Source: C:\Users\user\Desktop\test.exe	Code function: 3_2_00451880 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	3_2_00451880
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Code function: 8_2_1000BA64 SetUnhandledExceptionFilter,	8_2_1000BA64
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Code function: 8_2_1000BA76 SetUnhandledExceptionFilter,	8_2_1000BA76
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_0040C6A6 SetUnhandledExceptionFilter,	11_2_0040C6A6
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_0040C6B8 SetUnhandledExceptionFilter,	11_2_0040C6B8
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_1000BA64 SetUnhandledExceptionFilter,	11_2_1000BA64
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Code function: 11_2_1000BA76 SetUnhandledExceptionFilter,	11_2_1000BA76
Source: C:\Users\user\AppData\Local\Temp\wtmps.exe	Code function: 14_2_00406250 SetUnhandledExceptionFilter,	14_2_00406250
Source: C:\Users\user\AppData\Local\Temp\wtmps.exe	Code function: 14_2_0040623E SetUnhandledExceptionFilter,	14_2_0040623E
Source: C:\Users\user\AppData\Local\Temp\wtmps.exe	Code function: 14_2_00401AD0 SetUnhandledExceptionFilter,	14_2_00401AD0
Source: C:\Windows\SysWOW64\mscaps.exe	Code function: 15_2_00408007 SetUnhandledExceptionFilter,	15_2_00408007
Source: C:\Windows\SysWOW64\mscaps.exe	Code function: 15_2_004024A0 SetUnhandledExceptionFilter,	15_2_004024A0
Source: C:\Windows\SysWOW64\mscaps.exe	Code function: 15_2_00407FF5 SetUnhandledExceptionFilter,	15_2_00407FF5

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject threads in other processes

Source: C:\Windows\SysWOW64\mscaps.exe

15_2_00401950

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Users\user\Desktop\test.exe	Memory written: PID: 984 base: 1279C0 value: 55			Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Memory written: PID: 984 base: 127F80 value: 04			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\test.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 1279C0			Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 127F80			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\test.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe "C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Users\user\Desktop\test.exe "C:\Users\user\Desktop\test.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\user0.bat" "	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\user1.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe "C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\user1.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe "C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe" /i 6788
Source: C:\Users\user\AppData\Roaming\Microsoft\Defender\launch.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\user2.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\wtmps.exe "C:\Users\user\AppData\Local\Temp\wtmps.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wtmps.exe	Process created: C:\Windows\SysWOW64\mscaps.exe "C:\Windows\system32\mscaps.exe" /C:\Users\user\AppData\Local\Temp\wtmps.exe

Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe

Code function: 2_2_0040B8D2 GetSystemTime,

2_2_0040B8D2

Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe

Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe

Code function: 2_2_00412794 InterlockedDecrement,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

2_2_00412794

Source: C:\Users\user\AppData\Local\Temp\@AE2AF6.tmp.exe

Code function: 2_2_0040318C GetVersionExW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,GetModuleHandleW,GetProcAddress,GetSystemMetrics,