Windows Analysis Report
KClGcCpDAP.exe

Overview

General Information

Sample name: KClGcCpDAP.exe
renamed because original name is a hash value
Original sample name: 61d2baf57c3ed6eda2d72720fc54ed04.exe
Analysis ID: 1527626
MD5: 61d2baf57c3ed6eda2d72720fc54ed04
SHA1: 8c6ce6dc798b3d085102b96ffea2913efe5fb243
SHA256: 08e1d8d41bef83310ed290e5b8b3821d7ead8f66709c90cd4caa27c567ab4e80
Tags: exeuser-abuse_ch
Infos:

Detection

Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Writes to foreign memory regions
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: KClGcCpDAP.exe Virustotal: Detection: 8% Perma Link
Source: KClGcCpDAP.exe ReversingLabs: Detection: 23%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 93.2% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_0088A0BB DecryptFileW, 0_2_0088A0BB
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_008AFA62 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError, 0_2_008AFA62
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_00889E9E DecryptFileW,DecryptFileW, 0_2_00889E9E
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_00D1A0BB DecryptFileW, 1_2_00D1A0BB
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_00D3FA62 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError, 1_2_00D3FA62
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_00D19E9E DecryptFileW,DecryptFileW, 1_2_00D19E9E

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 20.2.validPower_Lnz_x64.exe.2671aed.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.cmd.exe.33907f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.validPower_Lnz_x64.exe.264a6ed.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.cmd.exe.3364a08.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.validPower_Lnz_x64.exe.2604a20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.validPower_Lnz_x64.exe.26726ed.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.validPower_Lnz_x64.exe.262ca20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.validPower_Lnz_x64.exe.2649aed.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000002.2272761676.000000000361D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1778571972.0000000003DF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1722899571.0000000003F99000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2216100615.0000000003390000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2162614521.0000000003A96000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2217981386.000000000554C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2475629890.0000000004EEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2022025745.0000000005366000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2662759098.0000000002626000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2221794602.00000000025FE000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Uses 32bit PE files
Source: KClGcCpDAP.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe File opened: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49973 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49979 version: TLS 1.2
Source: KClGcCpDAP.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: KClGcCpDAP.exe, 00000000.00000000.1694739395.00000000008BB000.00000002.00000001.01000000.00000003.sdmp, KClGcCpDAP.exe, 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmp, KClGcCpDAP.exe, 00000001.00000000.1698457093.0000000000D4B000.00000002.00000001.01000000.00000005.sdmp, KClGcCpDAP.exe, 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: msvcp100.amd64.pdb source: Virtual.exe, 00000002.00000003.1711778991.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000002.1724662734.00000000665EF000.00000002.00000001.01000000.0000000C.sdmp, Virtual.exe, 00000003.00000002.1780293522.000000006646F000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: D:\tinderbox\win-4.2\out\win.amd64\release\obj\VBoxDDU\VBoxDDU.pdb source: Virtual.exe, 00000002.00000002.1726253927.00007FFE0E175000.00000002.00000001.01000000.00000009.sdmp, Virtual.exe, 00000002.00000003.1712509409.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1781691145.00007FFE01345000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: msvcr100.amd64.pdb source: Virtual.exe, 00000002.00000003.1712097641.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000002.1724966337.00000000666D1000.00000002.00000001.01000000.0000000A.sdmp, Virtual.exe, 00000003.00000002.1780499574.0000000066551000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: D:\tinderbox\win-4.2\out\win.amd64\release\obj\VBoxSVC\VBoxSVC.pdb source: Virtual.exe, 00000002.00000000.1705508860.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000002.00000002.1725292654.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1780908036.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp, Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: ntdll.pdb source: Virtual.exe, 00000002.00000002.1723901134.0000000004660000.00000004.00000800.00020000.00000000.sdmp, Virtual.exe, 00000002.00000002.1723366926.0000000004262000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1779142264.00000000040CA000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1779322698.00000000044C0000.00000004.00000800.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1779530074.00000000046C3000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2223382909.0000000003C67000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2225791718.0000000005466000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2223754045.0000000004065000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2226734814.0000000005E69000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2224913907.0000000004C63000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2225569136.0000000005265000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2221493011.00000000021BA000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2224527435.000000000486F000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2226037437.000000000566C000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2231554808.0000000006869000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2223213519.0000000003A61000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2231176665.000000000646A000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2231723937.0000000006A68000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2224103581.000000000446D000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2224699045.0000000004A60000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2232229859.0000000007064000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2226981468.000000000606C000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2231892691.0000000006C64000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2229784780.0000000006260000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2222209839.0000000002B00000.00000004.00001000.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2223555876.0000000003E66000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2225140894.0000000004E67000.00000004.00000001.00020000.00000000.sdmp, validPower_Ln
Source: Binary string: wntdll.pdbUGP source: cmd.exe, 00000004.00000002.2022484937.0000000005630000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2021878982.0000000004D73000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: Virtual.exe, 00000002.00000002.1723901134.0000000004660000.00000004.00000800.00020000.00000000.sdmp, Virtual.exe, 00000002.00000002.1723366926.0000000004262000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1779142264.00000000040CA000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1779322698.00000000044C0000.00000004.00000800.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1779530074.00000000046C3000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2223382909.0000000003C67000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2225791718.0000000005466000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2223754045.0000000004065000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2226734814.0000000005E69000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2224913907.0000000004C63000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2225569136.0000000005265000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2221493011.00000000021BA000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2224527435.000000000486F000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2226037437.000000000566C000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2231554808.0000000006869000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2223213519.0000000003A61000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2231176665.000000000646A000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2231723937.0000000006A68000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2224103581.000000000446D000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2224699045.0000000004A60000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2232229859.0000000007064000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2226981468.000000000606C000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2231892691.0000000006C64000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2229784780.0000000006260000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2222209839.0000000002B00000.00000004.00001000.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2223555876.0000000003E66000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2225140894.0000000004E67000.00000004.00000001.00020000.00000000.sdmp, validPower
Source: Binary string: D:\tinderbox\win-4.2\out\win.amd64\release\obj\VBoxRT\VBoxRT.pdb source: Virtual.exe, 00000002.00000002.1725642901.00007FFDFB6C5000.00000002.00000001.01000000.0000000B.sdmp, Virtual.exe, 00000003.00000002.1781300513.00007FFDFB125000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: wntdll.pdb source: cmd.exe, 00000004.00000002.2022484937.0000000005630000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2021878982.0000000004D73000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_00873CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose, 0_2_00873CC4
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_008B4440 FindFirstFileW,FindClose, 0_2_008B4440
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_00889B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose, 0_2_00889B43
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_00D44440 FindFirstFileW,FindClose, 1_2_00D44440
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_00D19B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose, 1_2_00D19B43
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_00D03CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose, 1_2_00D03CC4
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_666644A8 _errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,SetErrorMode, 2_2_666644A8
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_666663E4 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose, 2_2_666663E4
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_666683E8 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_errno,_errno,_errno,IsRootUNCName,GetDriveTypeW,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose, 2_2_666683E8
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_666623A0 FindClose,FindFirstFileExA,FindNextFileA,FindClose, 2_2_666623A0
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_66665EE8 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose, 2_2_66665EE8
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_66663F10 _errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno, 2_2_66663F10
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_66667F84 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_errno,_errno,_errno,IsRootUNCName,GetDriveTypeW,free,free,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose, 2_2_66667F84
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_66662C0C FindClose,FindFirstFileExW,FindNextFileW,FindClose, 2_2_66662C0C
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_66666DDC __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose, 2_2_66666DDC
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_66667B1C __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_errno,_errno,_errno,IsRootUNCName,GetDriveTypeW,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose, 2_2_66667B1C
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_6666885C __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_errno,_errno,_errno,IsRootUNCName,GetDriveTypeW,free,free,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose, 2_2_6666885C
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_666668D8 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose, 2_2_666668D8
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_666649E4 _errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno, 2_2_666649E4
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 4x nop then push ebx 1_2_6E244630
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 4x nop then push ebx 1_2_6E244630
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /watchvideo-sheila-avis-de-recherche-191280-2770205.html?xevok9zcbyqunjb=ZzsLLytC%2FMtKEkDEIiMG%2BNOJ3DYSue3YuBdMbTrtqKKdsg%2BC%2Fobe9lLJF33efnkG HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 96Host: apokalipo.cyou
Source: global traffic HTTP traffic detected: POST /watchvideo-sheila-avis-de-recherche-191280-2770205.html?xevok9zcbyqunjb=ZzsLLytC%2FMtKEkDEIiMG%2BNOJ3DYSue3YuBdMbTrtqKKdsg%2BC%2Fobe9lLJF33efnkG HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36title: QjJpYf7JSNeFgfzDoE7rEVRGSvoCuywFgi99gSR9vR/CKS5/bTBtoujmY2YutgContent-Length: 53Host: apokalipo.cyou
Source: global traffic HTTP traffic detected: POST /watchvideo-sheila-avis-de-recherche-191280-2770205.html?xevok9zcbyqunjb=ZzsLLytC%2FMtKEkDEIiMG%2BNOJ3DYSue3YuBdMbTrtqKKdsg%2BC%2Fobe9lLJF33efnkG HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36title: QjJpYf7JSNeFgfzDoE7rEVRGSvoCuywFgi99gSR9vR/CKS5/bTBtoujmY2YutgContent-Length: 208Host: apokalipo.cyou
Source: global traffic HTTP traffic detected: POST /watchvideo-sheila-avis-de-recherche-191280-2770205.html?xevok9zcbyqunjb=ZzsLLytC%2FMtKEkDEIiMG%2BNOJ3DYSue3YuBdMbTrtqKKdsg%2BC%2Fobe9lLJF33efnkG HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 96Host: apokalipo.cyou
Source: global traffic HTTP traffic detected: POST /watchvideo-sheila-avis-de-recherche-191280-2770205.html?xevok9zcbyqunjb=ZzsLLytC%2FMtKEkDEIiMG%2BNOJ3DYSue3YuBdMbTrtqKKdsg%2BC%2Fobe9lLJF33efnkG HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36title: QjJpYf7JSNeFgfzDoE7rEVRGSvoCuywFgi99gSR9vR/CKS5/bTBtoujmY2YutgContent-Length: 53Host: apokalipo.cyou
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: apokalipo.cyou
Source: unknown HTTP traffic detected: POST /watchvideo-sheila-avis-de-recherche-191280-2770205.html?xevok9zcbyqunjb=ZzsLLytC%2FMtKEkDEIiMG%2BNOJ3DYSue3YuBdMbTrtqKKdsg%2BC%2Fobe9lLJF33efnkG HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 96Host: apokalipo.cyou
Source: KClGcCpDAP.exe String found in binary or memory: http://appsyndication.org/2006/appsyn
Source: KClGcCpDAP.exe, 00000000.00000000.1694739395.00000000008BB000.00000002.00000001.01000000.00000003.sdmp, KClGcCpDAP.exe, 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmp, KClGcCpDAP.exe, 00000001.00000000.1698457093.0000000000D4B000.00000002.00000001.01000000.00000005.sdmp, KClGcCpDAP.exe, 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: KClGcCpDAP.exe, 00000001.00000003.1703839155.0000000001543000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000003.1712509409.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000003.1718068778.00000000013F2000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: validPower_Lnz_x64.exe, 0000000A.00000003.2202727575.00000000004AC000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000003.2211577219.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2220545140.00000000004AC000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000003.2210919646.0000000000499000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000003.2219967891.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000003.2219569359.0000000000499000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.v
Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Virtual.exe, 00000002.00000002.1725642901.00007FFDFB6C5000.00000002.00000001.01000000.0000000B.sdmp, Virtual.exe, 00000003.00000002.1781300513.00007FFDFB125000.00000002.00000001.01000000.00000012.sdmp String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0L
Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: KClGcCpDAP.exe, 00000001.00000003.1703839155.0000000001543000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000003.1712509409.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000003.1718068778.00000000013F2000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.thawte.com0
Source: Virtual.exe, 00000003.00000002.1781300513.00007FFDFB125000.00000002.00000001.01000000.00000012.sdmp String found in binary or memory: http://relaxng.org/ns/structure/1.0
Source: Virtual.exe, 00000002.00000002.1725642901.00007FFDFB6C5000.00000002.00000001.01000000.0000000B.sdmp, Virtual.exe, 00000003.00000002.1781300513.00007FFDFB125000.00000002.00000001.01000000.00000012.sdmp String found in binary or memory: http://relaxng.org/ns/structure/1.0allocating
Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://s2.symcb.com0
Source: KClGcCpDAP.exe, 00000000.00000003.1728770025.000000000135B000.00000004.00000020.00020000.00000000.sdmp, KClGcCpDAP.exe, 00000000.00000002.1729145495.000000000135E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.mic
Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcd.com0&
Source: KClGcCpDAP.exe, 00000001.00000003.1703839155.0000000001543000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000003.1712509409.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000003.1718068778.00000000013F2000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: KClGcCpDAP.exe, 00000001.00000003.1703839155.0000000001543000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000003.1712509409.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000003.1718068778.00000000013F2000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: KClGcCpDAP.exe, 00000001.00000003.1703839155.0000000001543000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000003.1712509409.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000003.1718068778.00000000013F2000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Virtual.exe, 00000002.00000000.1705508860.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000002.00000002.1725292654.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1780908036.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp, Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp String found in binary or memory: http://virtualbox.org/firmware/VBoxEFI32.fd
Source: Virtual.exe, 00000002.00000000.1705508860.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000002.00000002.1725292654.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1780908036.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp, Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp String found in binary or memory: http://virtualbox.org/firmware/VBoxEFI32.fdVBoxEFI64.fdhttp://virtualbox.org/firmware/VBoxEFI64.fdVB
Source: Virtual.exe, 00000002.00000000.1705508860.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000002.00000002.1725292654.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1780908036.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp, Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp String found in binary or memory: http://virtualbox.org/firmware/VBoxEFI64.fd
Source: Virtual.exe, 00000002.00000000.1705508860.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000002.00000002.1725292654.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1780908036.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp, Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp String found in binary or memory: http://virtualbox.org/firmware/VBoxEFIDual.fd
Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000000.1977926263.00000001401E0000.00000002.00000001.01000000.00000017.sdmp String found in binary or memory: http://www.???.xx/?search=%s
Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: Virtual.exe, 00000002.00000002.1722899571.0000000003CFD000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003B5A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.00000000050D8000.00000004.00000800.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2221794602.00000000025B5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.info-zip.org/
Source: Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp String found in binary or memory: http://www.innotek.de/VirtualBox-settings
Source: Virtual.exe, 00000002.00000002.1725642901.00007FFDFB6C5000.00000002.00000001.01000000.0000000B.sdmp, Virtual.exe, 00000003.00000002.1781300513.00007FFDFB125000.00000002.00000001.01000000.00000012.sdmp String found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd
Source: Virtual.exe, 00000002.00000002.1725642901.00007FFDFB6C5000.00000002.00000001.01000000.0000000B.sdmp, Virtual.exe, 00000003.00000002.1781300513.00007FFDFB125000.00000002.00000001.01000000.00000012.sdmp String found in binary or memory: http://www.openssl.org/support/faq.html
Source: Virtual.exe, 00000002.00000002.1725642901.00007FFDFB6C5000.00000002.00000001.01000000.0000000B.sdmp, Virtual.exe, 00000003.00000002.1781300513.00007FFDFB125000.00000002.00000001.01000000.00000012.sdmp String found in binary or memory: http://www.openssl.org/support/faq.html....................D:
Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000000.1977926263.00000001401E0000.00000002.00000001.01000000.00000017.sdmp String found in binary or memory: http://www.softwareok.com
Source: validPower_Lnz_x64.exe, 0000000A.00000000.1977926263.00000001401F4000.00000002.00000001.01000000.00000017.sdmp String found in binary or memory: http://www.softwareok.com/?Download=Find.Same.Images.OK
Source: validPower_Lnz_x64.exe, 0000000A.00000000.1977926263.00000001401F4000.00000002.00000001.01000000.00000017.sdmp String found in binary or memory: http://www.softwareok.com/?Freeware/Find.Same.Images.OK
Source: validPower_Lnz_x64.exe, 0000000A.00000000.1977926263.00000001401F4000.00000002.00000001.01000000.00000017.sdmp String found in binary or memory: http://www.softwareok.com/?Freeware/Find.Same.Images.OK/History
Source: validPower_Lnz_x64.exe, 0000000A.00000000.1977926263.00000001401F4000.00000002.00000001.01000000.00000017.sdmp String found in binary or memory: http://www.softwareok.com/?seite=faq-Find.Same.Images.OK&faq=0
Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000000.1977926263.00000001401E0000.00000002.00000001.01000000.00000017.sdmp String found in binary or memory: http://www.softwareok.de
Source: validPower_Lnz_x64.exe, 0000000A.00000000.1977926263.00000001401F4000.00000002.00000001.01000000.00000017.sdmp String found in binary or memory: http://www.softwareok.de/?Download=Find.Same.Images.OK
Source: validPower_Lnz_x64.exe, 0000000A.00000000.1977926263.00000001401F4000.00000002.00000001.01000000.00000017.sdmp String found in binary or memory: http://www.softwareok.de/?Freeware/Find.Same.Images.OK
Source: validPower_Lnz_x64.exe, 0000000A.00000000.1977926263.00000001401F4000.00000002.00000001.01000000.00000017.sdmp String found in binary or memory: http://www.softwareok.de/?Freeware/Find.Same.Images.OK/History
Source: validPower_Lnz_x64.exe, 0000000A.00000000.1977926263.00000001401F4000.00000002.00000001.01000000.00000017.sdmp String found in binary or memory: http://www.softwareok.de/?seite=faq-Find.Same.Images.OK&faq=0
Source: validPower_Lnz_x64.exe, 0000000A.00000000.1977816040.0000000140156000.00000002.00000001.01000000.00000017.sdmp String found in binary or memory: http://www.surfok.de/
Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/cps0(
Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/rpa00
Source: Virtual.exe, 00000002.00000000.1705508860.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000002.00000002.1725292654.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1780908036.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp, Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp String found in binary or memory: http://www.virtualbox.org/ovf/machine
Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.vmware.com/0
Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.vmware.com/0/
Source: Virtual.exe, 00000002.00000000.1705508860.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000002.00000002.1725292654.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1780908036.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp, Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp String found in binary or memory: http://www.vmware.com/interfaces/specifications/vmdk.html#compressed
Source: Virtual.exe, 00000002.00000000.1705508860.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000002.00000002.1725292654.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1780908036.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp, Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp String found in binary or memory: http://www.vmware.com/interfaces/specifications/vmdk.html#compressedhttp://www.vmware.com/specificat
Source: Virtual.exe, 00000002.00000000.1705508860.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000002.00000002.1725292654.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1780908036.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp, Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp String found in binary or memory: http://www.vmware.com/interfaces/specifications/vmdk.html#streamOptimized
Source: Virtual.exe, 00000002.00000000.1705508860.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000002.00000002.1725292654.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1780908036.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp, Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp String found in binary or memory: http://www.vmware.com/schema/ovf/1/envelope
Source: Virtual.exe, 00000002.00000000.1705508860.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000002.00000002.1725292654.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1780908036.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp, Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp String found in binary or memory: http://www.vmware.com/specifications/vmdk.html#compressed
Source: Virtual.exe, 00000002.00000000.1705508860.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000002.00000002.1725292654.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1780908036.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp, Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp String found in binary or memory: http://www.vmware.com/specifications/vmdk.html#sparse
Source: Virtual.exe, 00000002.00000000.1705508860.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000002.00000002.1725292654.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1780908036.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp, Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp String found in binary or memory: http://www.vmware.com/specifications/vmdk.html#sparsehttp://www.vmware.com/interfaces/specifications
Source: validPower_Lnz_x64.exe, 0000000A.00000003.2210919646.00000000004DD000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000003.2219569359.00000000004DD000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2220545140.000000000044F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apokalipo.cyou/
Source: validPower_Lnz_x64.exe, 0000000A.00000002.2220545140.000000000044B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apokalipo.cyou/2t2
Source: validPower_Lnz_x64.exe, 0000000A.00000003.2219569359.00000000004DD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apokalipo.cyou/N
Source: validPower_Lnz_x64.exe, 0000000A.00000002.2222475898.0000000002D1F000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://apokalipo.cyou/watchvideo-sheila-avis-de-recherche-191280-2770205.html
Source: validPower_Lnz_x64.exe, 0000000A.00000002.2222475898.0000000002D76000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://apokalipo.cyou/watchvideo-sheila-avis-de-recherche-191280-2770205.html?xevok9zcbyqunjb=ZzsLL
Source: validPower_Lnz_x64.exe, 0000000A.00000002.2222475898.0000000002D1F000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://apokalipo.cyou/watchvideo-sheila-avis-de-recherche-191280-2770205.htmleldbZzsLLytC%2FMtKEkDE
Source: validPower_Lnz_x64.exe, 0000000A.00000003.2202888428.0000000000482000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000003.2202511556.0000000000485000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apokalipo.cyou:443/watchvideo-sheila-avis-de-recherche-191280-2770205.html?xevok9zcbyqunjb=Z
Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/cps0%
Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/rpa0
Source: KClGcCpDAP.exe, 00000001.00000002.1728064931.000000006E253000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: https://gnu.org/licenses/
Source: KClGcCpDAP.exe, 00000001.00000002.1728064931.000000006E253000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: https://gnu.org/licenses/gpl.html
Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: unknown Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49973 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49979 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 20.2.validPower_Lnz_x64.exe.2671aed.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.cmd.exe.33907f8.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.validPower_Lnz_x64.exe.264a6ed.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.cmd.exe.3364a08.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.validPower_Lnz_x64.exe.2604a20.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.validPower_Lnz_x64.exe.26726ed.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.validPower_Lnz_x64.exe.262ca20.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.validPower_Lnz_x64.exe.2649aed.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Deletes files inside the Windows folder
Source: C:\Users\user\Desktop\KClGcCpDAP.exe File deleted: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_008A001D 0_2_008A001D
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_008941EA 0_2_008941EA
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_008762AA 0_2_008762AA
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_008A03D5 0_2_008A03D5
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_0089C332 0_2_0089C332
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_008AA560 0_2_008AA560
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_008A07AA 0_2_008A07AA
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_0087A8F1 0_2_0087A8F1
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_008AAA0E 0_2_008AAA0E
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_0089FB89 0_2_0089FB89
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_008A0B6F 0_2_008A0B6F
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_008A2C18 0_2_008A2C18
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_008A2E47 0_2_008A2E47
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_008AEE7C 0_2_008AEE7C
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_00D3001D 1_2_00D3001D
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_00D241EA 1_2_00D241EA
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_00D062AA 1_2_00D062AA
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_00D303D5 1_2_00D303D5
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_00D2C332 1_2_00D2C332
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_00D3A560 1_2_00D3A560
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_00D307AA 1_2_00D307AA
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_00D0A8F1 1_2_00D0A8F1
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_00D3AA0E 1_2_00D3AA0E
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_00D2FB89 1_2_00D2FB89
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_00D30B6F 1_2_00D30B6F
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_00D32C18 1_2_00D32C18
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_00D32E47 1_2_00D32E47
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_00D3EE7C 1_2_00D3EE7C
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_6E244F44 1_2_6E244F44
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_6E244F44 1_2_6E244F44
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_6E246FA0 1_2_6E246FA0
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_6E24DD90 1_2_6E24DD90
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_6E246FA0 1_2_6E246FA0
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_6E249891 1_2_6E249891
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_6E24C930 1_2_6E24C930
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_6E231960 1_2_6E231960
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_6E23E5B0 1_2_6E23E5B0
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_6E244F44 1_2_6E244F44
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_6E2482B0 1_2_6E2482B0
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_6E233298 1_2_6E233298
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_665DE638 2_2_665DE638
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_665E56E8 2_2_665E56E8
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_665E0740 2_2_665E0740
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_665E4714 2_2_665E4714
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_665CD46C 2_2_665CD46C
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_665D04D0 2_2_665D04D0
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_665D64B8 2_2_665D64B8
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_665AE5F8 2_2_665AE5F8
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_665C9580 2_2_665C9580
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_665CB5B8 2_2_665CB5B8
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_665DF2D4 2_2_665DF2D4
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_665D3E0C 2_2_665D3E0C
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_665E3E34 2_2_665E3E34
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_665D1EF4 2_2_665D1EF4
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_665CAE88 2_2_665CAE88
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_665CCD3C 2_2_665CCD3C
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_665BDD3C 2_2_665BDD3C
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_665DDB68 2_2_665DDB68
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_665C9B60 2_2_665C9B60
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_665CA84C 2_2_665CA84C
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_665C692C 2_2_665C692C
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_6665B624 2_2_6665B624
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_6667C6A0 2_2_6667C6A0
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_666506B0 2_2_666506B0
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_666756B8 2_2_666756B8
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_6666A760 2_2_6666A760
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_6667A77C 2_2_6667A77C
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_6665D73C 2_2_6665D73C
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_666AB7E4 2_2_666AB7E4
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_6666B7C4 2_2_6666B7C4
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_666727AC 2_2_666727AC
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_6666F454 2_2_6666F454
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_6667A410 2_2_6667A410
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_666C74DC 2_2_666C74DC
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_666724D0 2_2_666724D0
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_666644A8 2_2_666644A8
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_666784BC 2_2_666784BC
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_666BF558 2_2_666BF558
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_666BE2B8 2_2_666BE2B8
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_666AA2BC 2_2_666AA2BC
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_666BD2B4 2_2_666BD2B4
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_66670288 2_2_66670288
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_66679294 2_2_66679294
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_6664B298 2_2_6664B298
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_6666C350 2_2_6666C350
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_66693050 2_2_66693050
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_666C0008 2_2_666C0008
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_6667A0EC 2_2_6667A0EC
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_6664D0E8 2_2_6664D0E8
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_6667B1E0 2_2_6667B1E0
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_6666A1F0 2_2_6666A1F0
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_66678194 2_2_66678194
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_66678E10 2_2_66678E10
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_6666BE1C 2_2_6666BE1C
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_6667AE9C 2_2_6667AE9C
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_66697F74 2_2_66697F74
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_66679F44 2_2_66679F44
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_666BDF5C 2_2_666BDF5C
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_66663F10 2_2_66663F10
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_66679C74 2_2_66679C74
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_66668CF8 2_2_66668CF8
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_66674D40 2_2_66674D40
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_66660DCC 2_2_66660DCC
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_66677DB0 2_2_66677DB0
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_66677AF4 2_2_66677AF4
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_66669AAC 2_2_66669AAC
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_66675A94 2_2_66675A94
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_66672BF4 2_2_66672BF4
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_666BEBD8 2_2_666BEBD8
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_666ACBA0 2_2_666ACBA0
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_66675B88 2_2_66675B88
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_666728D4 2_2_666728D4
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_6664D8B4 2_2_6664D8B4
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_6665C894 2_2_6665C894
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_66675958 2_2_66675958
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_6666A92C 2_2_6666A92C
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_666649E4 2_2_666649E4
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe B22BF1210B5FD173A210EBFA9092390AA0513C41E1914CBE161EB547F049EF91
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: String function: 008B0726 appears 34 times
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: String function: 00871F13 appears 54 times
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: String function: 00873821 appears 500 times
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: String function: 008B0237 appears 685 times
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: String function: 008B32F3 appears 83 times
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: String function: 6E250E68 appears 39 times
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: String function: 6E232BC0 appears 79 times
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: String function: 00D40237 appears 685 times
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: String function: 00D40726 appears 34 times
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: String function: 00D01F13 appears 54 times
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: String function: 00D432F3 appears 83 times
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: String function: 00D03821 appears 500 times
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: String function: 665AF96C appears 38 times
PE file contains executable resources (Code or Archives)
Source: validPower_Lnz_x64.exe.4.dr Static PE information: Resource name: ZIP type: Zip archive data (empty)
PE file contains more sections than normal
Source: jamulieilmfjkk.4.dr Static PE information: Number of sections : 12 > 10
Source: bewwwy.18.dr Static PE information: Number of sections : 12 > 10
Source: Ammonium.dll.1.dr Static PE information: Number of sections : 11 > 10
Sample file is different than original file name gathered from version info
Source: KClGcCpDAP.exe, 00000000.00000000.1694797876.00000000008DD000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: \LegalCopyrightCopyright (c) Friarbird. All rights reserved.H OriginalFilenamekwashiorkor.exe@ vs KClGcCpDAP.exe
Source: KClGcCpDAP.exe, 00000001.00000000.1698535734.0000000000D6D000.00000002.00000001.01000000.00000005.sdmp Binary or memory string: \LegalCopyrightCopyright (c) Friarbird. All rights reserved.H OriginalFilenamekwashiorkor.exe@ vs KClGcCpDAP.exe
Source: KClGcCpDAP.exe, 00000001.00000002.1728141493.000000006E26A000.00000008.00000001.01000000.00000007.sdmp Binary or memory string: OriginalFilenamelibgpg-error.dll" vs KClGcCpDAP.exe
Uses 32bit PE files
Source: KClGcCpDAP.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
Yara signature match
Source: 20.2.validPower_Lnz_x64.exe.2671aed.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.cmd.exe.33907f8.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.validPower_Lnz_x64.exe.264a6ed.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.cmd.exe.3364a08.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.validPower_Lnz_x64.exe.2604a20.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.validPower_Lnz_x64.exe.26726ed.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.validPower_Lnz_x64.exe.262ca20.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.validPower_Lnz_x64.exe.2649aed.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: classification engine Classification label: mal96.spyw.expl.evad.winEXE@22/25@1/1
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_008AFE21 FormatMessageW,GetLastError,LocalFree, 0_2_008AFE21
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_008745EE GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle, 0_2_008745EE
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_00D045EE GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle, 1_2_00D045EE
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_66663DA4 _errno,_invalid_parameter_noinfo,GetDiskFreeSpaceA,GetLastError,_errno, 2_2_66663DA4
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_008B304F GetModuleHandleA,GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,ExitProcess, 0_2_008B304F
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_00896B88 ChangeServiceConfigW,GetLastError, 0_2_00896B88
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe File created: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64 Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2916:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6300:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6428:120:WilError_03
Source: C:\Users\user\Desktop\KClGcCpDAP.exe File created: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\ Jump to behavior
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Command line argument: cabinet.dll 0_2_00871070
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Command line argument: msi.dll 0_2_00871070
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Command line argument: version.dll 0_2_00871070
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Command line argument: wininet.dll 0_2_00871070
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Command line argument: comres.dll 0_2_00871070
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Command line argument: clbcatq.dll 0_2_00871070
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Command line argument: msasn1.dll 0_2_00871070
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Command line argument: crypt32.dll 0_2_00871070
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Command line argument: feclient.dll 0_2_00871070
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Command line argument: cabinet.dll 0_2_00871070
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Command line argument: cabinet.dll 1_2_00D01070
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Command line argument: msi.dll 1_2_00D01070
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Command line argument: version.dll 1_2_00D01070
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Command line argument: wininet.dll 1_2_00D01070
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Command line argument: comres.dll 1_2_00D01070
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Command line argument: clbcatq.dll 1_2_00D01070
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Command line argument: msasn1.dll 1_2_00D01070
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Command line argument: crypt32.dll 1_2_00D01070
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Command line argument: feclient.dll 1_2_00D01070
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Command line argument: cabinet.dll 1_2_00D01070
Source: KClGcCpDAP.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\cmd.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: KClGcCpDAP.exe Virustotal: Detection: 8%
Source: KClGcCpDAP.exe ReversingLabs: Detection: 23%
Source: KClGcCpDAP.exe String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: KClGcCpDAP.exe String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: C:\Users\user\Desktop\KClGcCpDAP.exe File read: C:\Users\user\Desktop\KClGcCpDAP.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\KClGcCpDAP.exe "C:\Users\user\Desktop\KClGcCpDAP.exe"
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Process created: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe "C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe" -burn.clean.room="C:\Users\user\Desktop\KClGcCpDAP.exe" -burn.filehandle.attached=524 -burn.filehandle.self=544
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Process created: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe "C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe"
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Process created: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe "C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe"
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe "C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe"
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Process created: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe "C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe" -burn.clean.room="C:\Users\user\Desktop\KClGcCpDAP.exe" -burn.filehandle.attached=524 -burn.filehandle.self=544 Jump to behavior
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Process created: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe "C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe" Jump to behavior
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Process created: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Jump to behavior
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Section loaded: feclient.dll Jump to behavior
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Section loaded: feclient.dll Jump to behavior
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Section loaded: newdev.dll Jump to behavior
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Section loaded: vboxddu.dll Jump to behavior
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Section loaded: vboxrt.dll Jump to behavior
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Section loaded: msvcp100.dll Jump to behavior
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Section loaded: vboxrt.dll Jump to behavior
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Section loaded: newdev.dll Jump to behavior
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Section loaded: devrtl.dll Jump to behavior
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Section loaded: pla.dll Jump to behavior
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Section loaded: tdh.dll Jump to behavior
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: newdev.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: vboxddu.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: vboxrt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: msvcp100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: vboxrt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: newdev.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: devrtl.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: pla.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: tdh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winbrand.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: bitsproxy.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: newdev.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: vboxddu.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: vboxrt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: msvcp100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: vboxrt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: devrtl.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: pla.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: tdh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winbrand.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: msftedit.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: comsvcs.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmlua.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: newdev.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: vboxddu.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: vboxrt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: msvcp100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: vboxrt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: newdev.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: msvcp100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: devrtl.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: pla.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: tdh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winbrand.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32 Jump to behavior
Source: xdhqslqcnobw.4.dr LNK file: ..\..\Roaming\TlsCloud_WRv3_x64\Virtual.exe
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Windows\SysWOW64\msftedit.dll Jump to behavior
Source: KClGcCpDAP.exe Static file information: File size 8656211 > 1048576
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe File opened: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\msvcr100.dll Jump to behavior
Source: KClGcCpDAP.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: KClGcCpDAP.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: KClGcCpDAP.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: KClGcCpDAP.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: KClGcCpDAP.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: KClGcCpDAP.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: KClGcCpDAP.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: KClGcCpDAP.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: KClGcCpDAP.exe, 00000000.00000000.1694739395.00000000008BB000.00000002.00000001.01000000.00000003.sdmp, KClGcCpDAP.exe, 00000000.00000002.1728965168.00000000008BB000.00000002.00000001.01000000.00000003.sdmp, KClGcCpDAP.exe, 00000001.00000000.1698457093.0000000000D4B000.00000002.00000001.01000000.00000005.sdmp, KClGcCpDAP.exe, 00000001.00000002.1726726510.0000000000D4B000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: msvcp100.amd64.pdb source: Virtual.exe, 00000002.00000003.1711778991.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000002.1724662734.00000000665EF000.00000002.00000001.01000000.0000000C.sdmp, Virtual.exe, 00000003.00000002.1780293522.000000006646F000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: D:\tinderbox\win-4.2\out\win.amd64\release\obj\VBoxDDU\VBoxDDU.pdb source: Virtual.exe, 00000002.00000002.1726253927.00007FFE0E175000.00000002.00000001.01000000.00000009.sdmp, Virtual.exe, 00000002.00000003.1712509409.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1781691145.00007FFE01345000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: msvcr100.amd64.pdb source: Virtual.exe, 00000002.00000003.1712097641.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000002.00000002.1724966337.00000000666D1000.00000002.00000001.01000000.0000000A.sdmp, Virtual.exe, 00000003.00000002.1780499574.0000000066551000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: D:\tinderbox\win-4.2\out\win.amd64\release\obj\VBoxSVC\VBoxSVC.pdb source: Virtual.exe, 00000002.00000000.1705508860.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000002.00000002.1725292654.00007FF6C5877000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1780908036.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp, Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: ntdll.pdb source: Virtual.exe, 00000002.00000002.1723901134.0000000004660000.00000004.00000800.00020000.00000000.sdmp, Virtual.exe, 00000002.00000002.1723366926.0000000004262000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1779142264.00000000040CA000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1779322698.00000000044C0000.00000004.00000800.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1779530074.00000000046C3000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2223382909.0000000003C67000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2225791718.0000000005466000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2223754045.0000000004065000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2226734814.0000000005E69000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2224913907.0000000004C63000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2225569136.0000000005265000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2221493011.00000000021BA000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2224527435.000000000486F000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2226037437.000000000566C000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2231554808.0000000006869000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2223213519.0000000003A61000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2231176665.000000000646A000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2231723937.0000000006A68000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2224103581.000000000446D000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2224699045.0000000004A60000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2232229859.0000000007064000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2226981468.000000000606C000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2231892691.0000000006C64000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2229784780.0000000006260000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2222209839.0000000002B00000.00000004.00001000.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2223555876.0000000003E66000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2225140894.0000000004E67000.00000004.00000001.00020000.00000000.sdmp, validPower_Ln
Source: Binary string: wntdll.pdbUGP source: cmd.exe, 00000004.00000002.2022484937.0000000005630000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2021878982.0000000004D73000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: Virtual.exe, 00000002.00000002.1723901134.0000000004660000.00000004.00000800.00020000.00000000.sdmp, Virtual.exe, 00000002.00000002.1723366926.0000000004262000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1779142264.00000000040CA000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1779322698.00000000044C0000.00000004.00000800.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1779530074.00000000046C3000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2223382909.0000000003C67000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2225791718.0000000005466000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2223754045.0000000004065000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2226734814.0000000005E69000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2224913907.0000000004C63000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2225569136.0000000005265000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2221493011.00000000021BA000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2224527435.000000000486F000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2226037437.000000000566C000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2231554808.0000000006869000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2223213519.0000000003A61000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2231176665.000000000646A000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2231723937.0000000006A68000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2224103581.000000000446D000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2224699045.0000000004A60000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2232229859.0000000007064000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2226981468.000000000606C000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2231892691.0000000006C64000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2229784780.0000000006260000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2222209839.0000000002B00000.00000004.00001000.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2223555876.0000000003E66000.00000004.00000001.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2225140894.0000000004E67000.00000004.00000001.00020000.00000000.sdmp, validPower
Source: Binary string: D:\tinderbox\win-4.2\out\win.amd64\release\obj\VBoxRT\VBoxRT.pdb source: Virtual.exe, 00000002.00000002.1725642901.00007FFDFB6C5000.00000002.00000001.01000000.0000000B.sdmp, Virtual.exe, 00000003.00000002.1781300513.00007FFDFB125000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: wntdll.pdb source: cmd.exe, 00000004.00000002.2022484937.0000000005630000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2021878982.0000000004D73000.00000004.00000020.00020000.00000000.sdmp
Source: KClGcCpDAP.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: KClGcCpDAP.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: KClGcCpDAP.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: KClGcCpDAP.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: KClGcCpDAP.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_6E231400 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_6E231400
PE file contains an invalid checksum
Source: jamulieilmfjkk.4.dr Static PE information: real checksum: 0x260d5c should be: 0x259261
Source: KClGcCpDAP.exe.0.dr Static PE information: real checksum: 0x0 should be: 0x83c81b
Source: VBoxRT.dll.2.dr Static PE information: real checksum: 0x413417 should be: 0x40cba5
Source: VBoxRT.dll.1.dr Static PE information: real checksum: 0x413417 should be: 0x40cba5
Source: KClGcCpDAP.exe Static PE information: real checksum: 0x0 should be: 0x84fd8f
Source: bewwwy.18.dr Static PE information: real checksum: 0x260d5c should be: 0x259261
Source: Ammonium.dll.1.dr Static PE information: real checksum: 0x45d32 should be: 0x4609e
PE file contains sections with non-standard names
Source: KClGcCpDAP.exe Static PE information: section name: .wixburn
Source: KClGcCpDAP.exe.0.dr Static PE information: section name: .wixburn
Source: Ammonium.dll.1.dr Static PE information: section name: /4
Source: msvcr100.dll.1.dr Static PE information: section name: _CONST
Source: msvcr100.dll.1.dr Static PE information: section name: text
Source: msvcr100.dll.2.dr Static PE information: section name: _CONST
Source: msvcr100.dll.2.dr Static PE information: section name: text
Source: validPower_Lnz_x64.exe.4.dr Static PE information: section name: Shared
Source: jamulieilmfjkk.4.dr Static PE information: section name: .xdata
Source: jamulieilmfjkk.4.dr Static PE information: section name: gfcdpo
Source: bewwwy.18.dr Static PE information: section name: .xdata
Source: bewwwy.18.dr Static PE information: section name: gfcdpo
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_0089EAD6 push ecx; ret 0_2_0089EAE9
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_00D2EAD6 push ecx; ret 1_2_00D2EAE9
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_665B29CA push rcx; ret 2_2_665B29CB
Drops PE files
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe File created: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\VBoxRT.dll Jump to dropped file
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe File created: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Jump to dropped file
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe File created: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\VBoxDDU.dll Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\KClGcCpDAP.exe File created: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Jump to dropped file
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe File created: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\msvcp100.dll Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\bewwwy Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\jamulieilmfjkk Jump to dropped file
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe File created: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\msvcr100.dll Jump to dropped file
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe File created: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Ammonium.dll Jump to dropped file
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe File created: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\VBoxDDU.dll Jump to dropped file
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe File created: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\msvcp100.dll Jump to dropped file
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe File created: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\VBoxRT.dll Jump to dropped file
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe File created: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Jump to dropped file
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe File created: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\msvcr100.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe File created: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\VBoxDDU.dll Jump to dropped file
Source: C:\Users\user\Desktop\KClGcCpDAP.exe File created: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Jump to dropped file
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe File created: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\msvcp100.dll Jump to dropped file
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe File created: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\msvcr100.dll Jump to dropped file
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe File created: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Ammonium.dll Jump to dropped file
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe File created: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\VBoxRT.dll Jump to dropped file
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe File created: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\jamulieilmfjkk Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\bewwwy Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Found hidden mapped module (file has been removed from disk)
Source: C:\Windows\SysWOW64\cmd.exe Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\JAMULIEILMFJKK
Source: C:\Windows\SysWOW64\cmd.exe Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\BEWWWY
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_6665D73C GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetLastError, 2_2_6665D73C

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Windows\SysWOW64\cmd.exe API/Special instruction interceptor: Address: 6CF53B54
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_6665BAC4 rdtsc 2_2_6665BAC4
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\cmd.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\bewwwy Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jamulieilmfjkk Jump to dropped file
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Dropped PE file which has not been started: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Ammonium.dll Jump to dropped file
Found evaded block containing many API calls
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Evaded block: after key decision
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Evaded block: after key decision
Found evasive API chain (date check)
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Evasive API call chain: GetLocalTime,DecisionNodes
Found evasive API chain checking for process token information
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe API coverage: 4.5 %
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe API coverage: 0.3 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe TID: 7148 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe TID: 5852 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe TID: 1608 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe TID: 4048 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe TID: 6024 Thread sleep time: -30000s >= -30000s Jump to behavior
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_008AFEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 008AFF61h 0_2_008AFEC6
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_008AFEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 008AFF5Ah 0_2_008AFEC6
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_00D3FEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00D3FF61h 1_2_00D3FEC6
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_00D3FEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00D3FF5Ah 1_2_00D3FEC6
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_00873CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose, 0_2_00873CC4
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_008B4440 FindFirstFileW,FindClose, 0_2_008B4440
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_00889B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose, 0_2_00889B43
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_00D44440 FindFirstFileW,FindClose, 1_2_00D44440
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_00D19B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose, 1_2_00D19B43
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_00D03CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose, 1_2_00D03CC4
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_666644A8 _errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,SetErrorMode, 2_2_666644A8
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_666663E4 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose, 2_2_666663E4
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_666683E8 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_errno,_errno,_errno,IsRootUNCName,GetDriveTypeW,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose, 2_2_666683E8
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_666623A0 FindClose,FindFirstFileExA,FindNextFileA,FindClose, 2_2_666623A0
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_66665EE8 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose, 2_2_66665EE8
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_66663F10 _errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno, 2_2_66663F10
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_66667F84 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_errno,_errno,_errno,IsRootUNCName,GetDriveTypeW,free,free,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose, 2_2_66667F84
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_66662C0C FindClose,FindFirstFileExW,FindNextFileW,FindClose, 2_2_66662C0C
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_66666DDC __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose, 2_2_66666DDC
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_66667B1C __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_errno,_errno,_errno,IsRootUNCName,GetDriveTypeW,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose, 2_2_66667B1C
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_6666885C __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExW,_errno,_errno,_errno,_errno,_errno,IsRootUNCName,GetDriveTypeW,free,free,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose, 2_2_6666885C
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_666668D8 __doserrno,_errno,_invalid_parameter_noinfo,_errno,__doserrno,_getdrive,FindFirstFileExA,_errno,_errno,_errno,_errno,_errno,GetDriveTypeA,free,free,_errno,__doserrno,_wsopen_s,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose, 2_2_666668D8
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_666649E4 _errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno, 2_2_666649E4
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_008B97A5 VirtualQuery,GetSystemInfo, 0_2_008B97A5
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ Jump to behavior
Source: Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp Binary or memory string: http://www.vmware.com/schema/ovf/1/envelope
Source: Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp Binary or memory string: uuidvbox:uuid%RTuuidovf:formathttp://www.vmware.com/specifications/vmdk.html#sparsehttp://www.vmware.com/interfaces/specifications/vmdk.html#streamOptimizedovf:fileRefovf:diskIdovf:capacityDiskovf:hrefFilefile%RI32VMDKLogical network used by this appliance.ovf:nameExportedVirtualBoxMachinesVirtualSystemCollectionCannot export more than one virtual system with OVF 0.9, use OVF 1.0Logical networks used in the packageNetworkSectionovf:NetworkSection_TypeList of the virtual disks used in the packageDiskSectionovf:DiskSection_TypeReferencesxmlns:vboxhttp://www.virtualbox.org/ovf/machinexmlns:xsihttp://www.w3.org/2001/XMLSchema-instancexmlns:vssdhttp://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_VirtualSystemSettingDataxmlns:rasdhttp://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_ResourceAllocationSettingDataxmlns:ovfxmlnshttp://schemas.dmtf.org/ovf/envelope/1http://www.vmware.com/schema/ovf/1/envelopexml:langen-USovf:version0.92.0Envelope"
Source: Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp Binary or memory string: %s/VBoxGuestAdditions_%ls.iso
Source: cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: http://www.vmware.com/0
Source: Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp Binary or memory string: /additions/VBoxGuestAdditions.iso
Source: cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.1!0
Source: Virtual.exe, 00000003.00000002.1781300513.00007FFDFB125000.00000002.00000001.01000000.00000012.sdmp Binary or memory string: using the native ring-0 loaderpLoadReq->u.In.cbStrTab == CalcArgs.cbStrings(size_t)(CreateArgs.pSym - (PSUPLDRSYM)&pLoadReq->u.In.abImage[offSymTab]) <= CalcArgs.cSymbols(size_t)(CreateArgs.psz - CreateArgs.pszBase) <= CalcArgs.cbStringsint __cdecl supLoadModule(const char *,const char *,const char *,void **)ModuleTermModuleInitVMMR0EntryExVMMR0EntryFastVMMR0EntryIntsupLoadModule returned %RrcVBoxDrvVBox Support Driver\VBoxDrv.sys\\.\VBoxDrvVBoxNetDHCP.dllVBoxNetDHCP.exevboxwebsrv.exeVBoxBFE.dllVBoxBFE.exeVBoxSDL.dllVBoxSDL.exeVirtualBox.dllVirtualBox.exeVBoxVideoRecFB.dllVBoxHeadless.dllVBoxHeadless.exeVBoxVRDP.dllVBoxAuth.dllVRDPAuth.dllVBoxC.dllVBoxSVC.exeVBoxManage.exeVBoxOGLrenderspu.dllVBoxOGLhosterrorspu.dllVBoxOGLhostcrutil.dllVBoxSharedCrOpenGL.dllVBoxHostChannel.dllVBoxGuestControlSvc.dllVBoxGuestPropSvc.dllVBoxDragAndDropSvc.dllVBoxSharedFolders.dllVBoxSharedClipboard.dllVBoxDbg3.dllVBoxDbg.dllVBoxDDU.dllVBoxDD2.dllVBoxDD.dllVBoxREM.dllVBoxVMM.dllVBoxRT.dllVBoxDD2GC.gcVBoxDDGC.gcVMMGC.gcVBoxDD2R0.r0VBoxDDR0.r0
Source: Virtual.exe, 00000002.00000003.1718068778.0000000001391000.00000004.00000001.00020000.00000000.sdmp, Virtual.exe, 00000002.00000000.1705595351.00007FF6C5953000.00000002.00000001.01000000.00000008.sdmp, Virtual.exe, 00000003.00000002.1781024865.00007FF718653000.00000002.00000001.01000000.0000000E.sdmp Binary or memory string: AdditionsFacilityType_VBoxTrayClient
Source: Virtual.exe, 00000003.00000002.1781024865.00007FF718653000.00000002.00000001.01000000.0000000E.sdmp Binary or memory string: aVmNetTx
Source: Virtual.exe, 00000003.00000002.1781024865.00007FF718653000.00000002.00000001.01000000.0000000E.sdmp Binary or memory string: aVmNetRx
Source: cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: http://www.vmware.com/0/
Source: validPower_Lnz_x64.exe, 0000000A.00000002.2220545140.000000000041C000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000003.2202511556.0000000000499000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000003.2210919646.0000000000499000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000003.2202888428.0000000000499000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2220545140.0000000000499000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000003.2219569359.0000000000499000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.1
Source: Virtual.exe, 00000003.00000002.1781300513.00007FFDFB125000.00000002.00000001.01000000.00000012.sdmp Binary or memory string: The service was disabled on the host. Returned by pfnInit in VBoxService to indicated a non-fatal error that should results in the particular service being disabled.
Source: cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.0
Source: Virtual.exe, 00000003.00000002.1781300513.00007FFDFB125000.00000002.00000001.01000000.00000012.sdmp Binary or memory string: VBoxGuestPropSvc.dll
Source: Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp Binary or memory string: /VBoxGuestAdditions.iso
Source: Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp Binary or memory string: Given default machine Guest Additions ISO file '%s' does not existGiven default machine Guest Additions ISO file '%s' is not fully qualifiedCannot determine default Guest Additions ISO location. Most likely they are not available%s/VBoxGuestAdditions_%ls.iso/additions/VBoxGuestAdditions.iso/VBoxGuestAdditions.iso
Source: Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp Binary or memory string: Importing virtual disk image '%s'Could not find a valid medium format for the source disk '%s'http://www.vmware.com/interfaces/specifications/vmdk.html#compressedhttp://www.vmware.com/specifications/vmdk.html#compressedVDICreating disk image '%s'%s%c%sCould not find a valid medium format for the target disk '%s'"
Source: Virtual.exe, 00000003.00000002.1781024865.00007FF718653000.00000002.00000001.01000000.0000000E.sdmp Binary or memory string: AdditionsFacilityType_VBoxGuestDriverWWW
Source: cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: noreply@vmware.com0
Source: Virtual.exe, 00000003.00000002.1781024865.00007FF718653000.00000002.00000001.01000000.0000000E.sdmp Binary or memory string: !0R4AdditionsFacilityType_VBoxServiceWWW
Source: Virtual.exe, 00000003.00000002.1781300513.00007FFDFB125000.00000002.00000001.01000000.00000012.sdmp Binary or memory string: VBoxGuestControlSvc.dll
Source: Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp Binary or memory string: http://www.vmware.com/specifications/vmdk.html#compressed
Source: Virtual.exe, 00000003.00000002.1781300513.00007FFDFB125000.00000002.00000001.01000000.00000012.sdmp Binary or memory string: IOCtl to VBoxGuest driver failed.
Source: Virtual.exe, 00000002.00000002.1725642901.00007FFDFB6C5000.00000002.00000001.01000000.0000000B.sdmp, Virtual.exe, 00000003.00000002.1781300513.00007FFDFB125000.00000002.00000001.01000000.00000012.sdmp Binary or memory string: VBoxTray.exe
Source: Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp Binary or memory string: http://www.vmware.com/specifications/vmdk.html#sparse
Source: Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp Binary or memory string: http://www.vmware.com/interfaces/specifications/vmdk.html#streamOptimized
Source: Virtual.exe, 00000002.00000002.1725642901.00007FFDFB6C5000.00000002.00000001.01000000.0000000B.sdmp, Virtual.exe, 00000003.00000002.1781300513.00007FFDFB125000.00000002.00000001.01000000.00000012.sdmp Binary or memory string: Virtual HDD is not opened.
Source: Virtual.exe, 00000002.00000002.1725642901.00007FFDFB6C5000.00000002.00000001.01000000.0000000B.sdmp, Virtual.exe, 00000003.00000002.1781300513.00007FFDFB125000.00000002.00000001.01000000.00000012.sdmp Binary or memory string: VBoxTray.exeexplorer.exeint __cdecl rtProcWinCreateAsUser1(unsigned short *,unsigned short *,unsigned short *,unsigned short *,struct RTENVINTERNAL *,unsigned long,struct _STARTUPINFOW *,struct _PROCESS_INFORMATION *,unsigned int)pfnCreateProcessWithLogonW (%p) failed: dwErr=%u (%#x), rc=%Rrc
Source: validPower_Lnz_x64.exe, 0000000A.00000003.2202511556.0000000000499000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000003.2210919646.0000000000499000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000003.2202888428.0000000000499000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000002.2220545140.0000000000499000.00000004.00000020.00020000.00000000.sdmp, validPower_Lnz_x64.exe, 0000000A.00000003.2219569359.0000000000499000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW?
Source: Virtual.exe, 00000003.00000000.1720716762.00007FF718577000.00000002.00000001.01000000.0000000E.sdmp Binary or memory string: http://www.vmware.com/interfaces/specifications/vmdk.html#compressed
Source: Virtual.exe, 00000003.00000002.1781024865.00007FF718653000.00000002.00000001.01000000.0000000E.sdmp Binary or memory string: b!0R4AdditionsFacilityType_VBoxServiceWWW
Source: C:\Users\user\Desktop\KClGcCpDAP.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_6665BAC4 rdtsc 2_2_6665BAC4
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_0089E88A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0089E88A
Contains functionality to dynamically determine API calls
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_6E231400 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_6E231400
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_008A48D8 mov eax, dword ptr fs:[00000030h] 0_2_008A48D8
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_00D348D8 mov eax, dword ptr fs:[00000030h] 1_2_00D348D8
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_0087394F GetProcessHeap,RtlAllocateHeap, 0_2_0087394F
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_0089E3D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0089E3D8
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_0089E88A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0089E88A
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_0089E9DC SetUnhandledExceptionFilter, 0_2_0089E9DC
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_008A3C76 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_008A3C76
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_00D2E3D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00D2E3D8
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_00D2E88A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00D2E88A
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_00D2E9DC SetUnhandledExceptionFilter, 1_2_00D2E9DC
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_00D33C76 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00D33C76
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_665E6BB0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,__crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,__crt_debugger_hook,GetCurrentProcess,TerminateProcess, 2_2_665E6BB0
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_666B06B0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_666B06B0
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: 2_2_666B02A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_666B02A4

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe NtAllocateVirtualMemory: Direct from: 0x7FFDFB329635 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtQuerySystemInformation: Direct from: 0x7FF69E3C6203 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtClose: Direct from: 0x14011D93E
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtClose: Direct from: 0x7FF69E535663
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtQuerySystemInformation: Direct from: 0x7FF69E45E26B Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtRequestWaitReplyPort: Direct from: 0x7FF69E466D34 Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe NtClose: Direct from: 0xAF0E30
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtQueryAttributesFile: Direct from: 0x7FF6AB8AA87D Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe NtAllocateVirtualMemory: Direct from: 0x110 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtCreateFile: Direct from: 0x7FF6AB9703E5 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtClose: Indirect: 0x14012000F
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtProtectVirtualMemory: Direct from: 0x7FF69E3CF21C Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtProtectVirtualMemory: Direct from: 0x7FF69E3AFF06 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtCreateFile: Direct from: 0x7FF6AB80A602 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtQueryInformationToken: Direct from: 0x7FF69E4235D8 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtQueryInformationToken: Direct from: 0x7FF69E3CA02E Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe NtProtectVirtualMemory: Direct from: 0x7FFDFAEF94F5 Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe NtClose: Direct from: 0x78FB90
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtProtectVirtualMemory: Direct from: 0x7FF69E534462 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtClose: Direct from: 0x7FFE221C26A1
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtClose: Direct from: 0x7FF69E535671
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe NtAllocateVirtualMemory: Direct from: 0xA0A76ACB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtQuerySystemInformation: Direct from: 0x7FF69E3C9664 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtQueryAttributesFile: Direct from: 0x7FF6AB7FC002 Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe NtClose: Direct from: 0x2
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe NtProtectVirtualMemory: Direct from: 0x3 Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe NtAllocateVirtualMemory: Direct from: 0x78BC70 Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe NtCreateNamedPipeFile: Direct from: 0x8000000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtQuerySystemInformation: Direct from: 0x7FF69E3BC002 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtAllocateVirtualMemory: Direct from: 0x14011D808 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtProtectVirtualMemory: Direct from: 0x7FF69E53DA8E Jump to behavior
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe NtQuerySystemInformation: Direct from: 0xEFC1A0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtAllocateVirtualMemory: Direct from: 0x7FF69E31A949 Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe NtCreateFile: Direct from: 0x230E4B3 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtAllocateVirtualMemory: Direct from: 0x7FF69E3CCA0F Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtDeviceIoControlFile: Direct from: 0x7FF6AB869691 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtProtectVirtualMemory: Direct from: 0x7FF69E533508 Jump to behavior
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe NtAllocateVirtualMemory: Direct from: 0x2F Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtProtectVirtualMemory: Direct from: 0x7FF69E53C195 Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe NtAllocateVirtualMemory: Direct from: 0xAECE40 Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe NtProtectVirtualMemory: Direct from: 0x7FFDFB3294F5 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtClose: Direct from: 0x7FF69E53564F
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtClose: Direct from: 0x7FF6AB975663
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtProtectVirtualMemory: Direct from: 0x7FF69E42AA63 Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe NtCreateFile: Direct from: 0x277E4B3 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtCreateFile: Direct from: 0x7FF69E3CA602 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtClose: Direct from: 0x7FF6AB97564F
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtClose: Direct from: 0x7FF6AB7EFF06
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtSetInformationProcess: Direct from: 0x7FF69E3D0C7D Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe NtAllocateVirtualMemory: Direct from: 0x7FFDFAEF9635 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtReadVirtualMemory: Direct from: 0x7FF69E3C6B83 Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe NtAllocateVirtualMemory: Direct from: 0x40 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtQueryAttributesFile: Direct from: 0x7FF6AB86AA63 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtDeviceIoControlFile: Direct from: 0x7FF69E429691 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtQueryAttributesFile: Direct from: 0x7FF6AB8A6D34 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtCreateFile: Direct from: 0x7FF69E533AF4 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtQueryValueKey: Direct from: 0x7FF69E3EDCEB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtAllocateVirtualMemory: Direct from: 0x7FF69E3160A1 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtReadFile: Direct from: 0x7FF6AB80A809 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtSetInformationProcess: Direct from: 0x7FF69E3D200D Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtClose: Direct from: 0x14011D864
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtAllocateVirtualMemory: Direct from: 0x7FFE221E4B5E Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtQueryVolumeInformationFile: Direct from: 0x7FF6AB811681 Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe NtCreateFile: Direct from: 0x2ADE4B3 Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe NtQuerySystemInformation: Direct from: 0x7FFDFAEE2143 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtQueryValueKey: Direct from: 0x7FF69E3EE4D8 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtCreateThreadEx: Direct from: 0x7FF69E316400 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtAllocateVirtualMemory: Direct from: 0x7FF69E3D1681 Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe NtClose: Direct from: 0xF133A0
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtQuerySystemInformation: Direct from: 0x7FF69E538749 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtProtectVirtualMemory: Direct from: 0x7FF69E53DB66 Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe NtQuerySystemInformation: Direct from: 0x7FFDFB312143 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtProtectVirtualMemory: Direct from: 0x7FF69E3C62C4 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtAllocateVirtualMemory: Direct from: 0x7FF69E3C4E67 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtClose: Direct from: 0x7FF6AB974462
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtClose: Direct from: 0x7FF6AB975671
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe NtAllocateVirtualMemory: Direct from: 0x7FFDFB328E14 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtAllocateVirtualMemory: Direct from: 0x7FF69E5345E9 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtCreateFile: Direct from: 0x7FF69E5303E5 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtQueryValueKey: Direct from: 0x7FF69E3EE14E Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtAllocateVirtualMemory: Direct from: 0x7FF69E42AAAB Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe NtAllocateVirtualMemory: Direct from: 0x7FFDFAEF8E14 Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe NtAllocateVirtualMemory: Direct from: 0xF0B610 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtQueryAttributesFile: Direct from: 0x7FF6AB80A02E Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtQueryAttributesFile: Direct from: 0x7FF6AB8635D8 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtReadFile: Direct from: 0x14011D832 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtCreateFile: Direct from: 0x7FF6AB973AF4 Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe NtQuerySystemInformation: Direct from: 0x7FFD40CB21D3 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtQueryInformationProcess: Direct from: 0x7FF69E3C0C96 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtQueryAttributesFile: Direct from: 0x7FF6AB809664 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtProtectVirtualMemory: Direct from: 0x7FF69E3BC747 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtCreateFile: Direct from: 0x14011D7A4 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtReadFile: Direct from: 0x7FF69E3CA809 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtAllocateVirtualMemory: Direct from: 0x7FF69E425B12 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtQueryInformationToken: Direct from: 0x7FF69E46A87D Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtOpenKeyEx: Direct from: 0x7FF69E3ED508 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtQueryValueKey: Direct from: 0x7FF69E3EE5ED Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtQueryInformationProcess: Direct from: 0x7FF69E3D0D55 Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe NtProtectVirtualMemory: Direct from: 0x6C006C Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtProtectVirtualMemory: Direct from: 0x7FF69E5334D0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe NtAllocateVirtualMemory: Direct from: 0x140120A3C Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: NULL target: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: NULL target: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe protection: read write Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe base: 14011BC08 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe base: 207010 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe base: 14011BC08 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe base: 2F4010 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Process created: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe "C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe" -burn.clean.room="C:\Users\user\Desktop\KClGcCpDAP.exe" -burn.filehandle.attached=524 -burn.filehandle.self=544 Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsCloud_WRv3_x64\Virtual.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Jump to behavior
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_008B1719 InitializeSecurityDescriptor,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,SetEntriesInAclA,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,SetSecurityDescriptorDacl,GetLastError,CoInitializeSecurity,LocalFree, 0_2_008B1719
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_008B3A5F AllocateAndInitializeSid,CheckTokenMembership, 0_2_008B3A5F
Source: Virtual.exe, 00000002.00000002.1722899571.0000000003D53000.00000004.00000020.00020000.00000000.sdmp, Virtual.exe, 00000003.00000002.1778571972.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2022025745.0000000005121000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: )[%d] Shell_TrayWndTrayNotifyWnd
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_0089EC07 cpuid 0_2_0089EC07
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\Temp\{8CB9D4BD-BB58-4C1B-96C8-872261C205E0}\.ba\Virtual.exe Code function: ___lc_handle_func,GetLocaleInfoW, 2_2_665D9460
Queries the installation date of Windows
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_00884EDF ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree, 0_2_00884EDF
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_00876037 GetSystemTime,GetDateFormatW,GetLastError,GetLastError,GetDateFormatW,GetLastError, 0_2_00876037
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_008761DF GetUserNameW,GetLastError, 0_2_008761DF
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_008B887B GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime, 0_2_008B887B
Source: C:\Users\user\Desktop\KClGcCpDAP.exe Code function: 0_2_00875195 GetModuleHandleW,CoInitializeEx,GetVersionExW,GetLastError,CoUninitialize, 0_2_00875195
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Found many strings related to Crypto-Wallets (likely being stolen)
Source: validPower_Lnz_x64.exe, 0000000A.00000002.2222475898.0000000002D3D000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: Electrum
Source: validPower_Lnz_x64.exe, 0000000A.00000002.2222475898.0000000002D28000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: ZSOFTWARE\Microsoft\Windows NT\CurrentVersion\C:\Users\user\AppData\Roaming\Electrum\wallets\C:\Users\user\AppData\Roaming\Armory\databases
Source: validPower_Lnz_x64.exe, 0000000A.00000002.2222475898.0000000002D1F000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: wallets\JaxxLiberty\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Source: validPower_Lnz_x64.exe, 0000000A.00000002.2222475898.0000000002D32000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: wallets\Exodus\exodus.wallet
Source: validPower_Lnz_x64.exe, 0000000A.00000002.2222475898.0000000002D32000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: wallets\Exodus\exodus.wallet
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\validPower_Lnz_x64.exe Key opened: HKEY_CURRENT_USER\Software\monero-project\monero-core Jump to behavior
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_6E232860 _gpg_w32_bindtextdomain,strlen,malloc,memcpy,strchr,strlen,strlen,strlen,malloc,memcpy,memcpy,memcpy,free,calloc,memcpy,malloc,memcpy,EnterCriticalSection,strcmp,LeaveCriticalSection,free,free,free,EnterCriticalSection,strcmp,LeaveCriticalSection,free,free,free,free, 1_2_6E232860
Source: C:\Windows\Temp\{F5D68338-3B04-47F6-AE14-10EB1750048C}\.cr\KClGcCpDAP.exe Code function: 1_2_6E2377E0 TlsAlloc,LocalAlloc,TlsGetValue,LocalFree,LocalAlloc,TlsSetValue,TlsGetValue,LocalFree,TlsFree,TlsSetValue,GetModuleFileNameW,WideCharToMultiByte,WideCharToMultiByte,malloc,WideCharToMultiByte,strrchr,strrchr,strcmp,strlen,_gpg_w32_bindtextdomain,free,malloc, 1_2_6E2377E0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1527626 Sample: KClGcCpDAP.exe Startdate: 07/10/2024 Architecture: WINDOWS Score: 96 74 apokalipo.cyou 2->74 78 Malicious sample detected (through community Yara rule) 2->78 80 Multi AV Scanner detection for submitted file 2->80 82 Yara detected UAC Bypass using CMSTP 2->82 84 AI detected suspicious sample 2->84 11 KClGcCpDAP.exe 3 2->11         started        14 Virtual.exe 1 2->14         started        17 Virtual.exe 1 2->17         started        signatures3 process4 file5 64 C:\Windows\Temp\...\KClGcCpDAP.exe, PE32 11->64 dropped 19 KClGcCpDAP.exe 14 11->19         started        110 Maps a DLL or memory area into another process 14->110 112 Found direct / indirect Syscall (likely to bypass EDR) 14->112 22 cmd.exe 2 14->22         started        25 cmd.exe 1 17->25         started        signatures6 process7 file8 50 C:\Windows\Temp\...\Virtual.exe, PE32+ 19->50 dropped 52 C:\Windows\Temp\...\msvcr100.dll, PE32+ 19->52 dropped 54 C:\Windows\Temp\...\msvcp100.dll, PE32+ 19->54 dropped 58 3 other files (none is malicious) 19->58 dropped 27 Virtual.exe 8 19->27         started        56 C:\Users\user\AppData\Local\Temp\bewwwy, PE32+ 22->56 dropped 90 Writes to foreign memory regions 22->90 92 Maps a DLL or memory area into another process 22->92 31 validPower_Lnz_x64.exe 22->31         started        33 conhost.exe 22->33         started        35 conhost.exe 25->35         started        signatures9 process10 file11 66 C:\Users\user\AppData\Roaming\...\Virtual.exe, PE32+ 27->66 dropped 68 C:\Users\user\AppData\...\msvcr100.dll, PE32+ 27->68 dropped 70 C:\Users\user\AppData\...\msvcp100.dll, PE32+ 27->70 dropped 72 2 other files (none is malicious) 27->72 dropped 102 Found direct / indirect Syscall (likely to bypass EDR) 27->102 37 Virtual.exe 1 27->37         started        signatures12 process13 signatures14 86 Maps a DLL or memory area into another process 37->86 88 Found direct / indirect Syscall (likely to bypass EDR) 37->88 40 cmd.exe 5 37->40         started        process15 file16 60 C:\Users\user\...\validPower_Lnz_x64.exe, PE32+ 40->60 dropped 62 C:\Users\user\AppData\...\jamulieilmfjkk, PE32+ 40->62 dropped 94 Writes to foreign memory regions 40->94 96 Found hidden mapped module (file has been removed from disk) 40->96 98 Maps a DLL or memory area into another process 40->98 100 Switches to a custom stack to bypass stack traces 40->100 44 validPower_Lnz_x64.exe 40->44         started        48 conhost.exe 40->48         started        signatures17 process18 dnsIp19 76 apokalipo.cyou 188.114.96.3, 443, 49739, 49740 CLOUDFLARENETUS European Union 44->76 104 Found many strings related to Crypto-Wallets (likely being stolen) 44->104 106 Tries to harvest and steal Bitcoin Wallet information 44->106 108 Found direct / indirect Syscall (likely to bypass EDR) 44->108 signatures20
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.114.96.3
 apokalipo.cyou European Union
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
apokalipo.cyou 188.114.96.3 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://apokalipo.cyou/watchvideo-sheila-avis-de-recherche-191280-2770205.html?xevok9zcbyqunjb=ZzsLLytC%2FMtKEkDEIiMG%2BNOJ3DYSue3YuBdMbTrtqKKdsg%2BC%2Fobe9lLJF33efnkG false
    		unknown