Windows Analysis Report
wnGDKyXdAo.exe

Overview

General Information

Sample name:	wnGDKyXdAo.exe (renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name:	3fe5fd377ea9bde5ca15723d214916b9a8e1b780bd49fab6e75412315c155b52
Analysis ID:	1540690
MD5:	65265a6752011edf039bdeafeb4e1551
SHA1:	7414c76369b2e5762c93936a22ba530d80488d10
SHA256:	3fe5fd377ea9bde5ca15723d214916b9a8e1b780bd49fab6e75412315c155b52
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evaded block containing many API calls

Found evasive API chain (date check)

Found potential string decryption / allocating functions

Program does not show much activity (idle)

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: wnGDKyXdAo.exe

Avira: detected

Source: wnGDKyXdAo.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

Code function: 0_2_00007FF6B9C835B0 recv,

0_2_00007FF6B9C835B0

Source: wnGDKyXdAo.exe

String found in binary or memory: https://http://Mozilla/5.0

Detected potential crypto function

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CCDA9C	0_2_00007FF6B9CCDA9C
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C9E053	0_2_00007FF6B9C9E053
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CC2020	0_2_00007FF6B9CC2020
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CD6F64	0_2_00007FF6B9CD6F64
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CC2644	0_2_00007FF6B9CC2644
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C91A00	0_2_00007FF6B9C91A00
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C839F0	0_2_00007FF6B9C839F0
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CE5CC8	0_2_00007FF6B9CE5CC8
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CBDBB4	0_2_00007FF6B9CBDBB4
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C9FB3E	0_2_00007FF6B9C9FB3E
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C9CB40	0_2_00007FF6B9C9CB40
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CB1B38	0_2_00007FF6B9CB1B38
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C8CB60	0_2_00007FF6B9C8CB60
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C96F32	0_2_00007FF6B9C96F32
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CCCE74	0_2_00007FF6B9CCCE74
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C9BE20	0_2_00007FF6B9C9BE20
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C88DD0	0_2_00007FF6B9C88DD0
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CB1DC4	0_2_00007FF6B9CB1DC4
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CB5124	0_2_00007FF6B9CB5124
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C95050	0_2_00007FF6B9C95050
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CC0010	0_2_00007FF6B9CC0010
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CE1FE4	0_2_00007FF6B9CE1FE4
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CC0FB0	0_2_00007FF6B9CC0FB0
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CB8F9C	0_2_00007FF6B9CB8F9C
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C85F70	0_2_00007FF6B9C85F70
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CC52FC	0_2_00007FF6B9CC52FC
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CD42D8	0_2_00007FF6B9CD42D8
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C9F298	0_2_00007FF6B9C9F298
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CC1248	0_2_00007FF6B9CC1248
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C85190	0_2_00007FF6B9C85190
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C94160	0_2_00007FF6B9C94160
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C92500	0_2_00007FF6B9C92500
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C8E480	0_2_00007FF6B9C8E480
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C854A0	0_2_00007FF6B9C854A0
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CD1450	0_2_00007FF6B9CD1450
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C93470	0_2_00007FF6B9C93470
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CE5474	0_2_00007FF6B9CE5474
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C87360	0_2_00007FF6B9C87360
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CC56AC	0_2_00007FF6B9CC56AC
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CEB698	0_2_00007FF6B9CEB698
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C965D0	0_2_00007FF6B9C965D0
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C9A594	0_2_00007FF6B9C9A594
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C86590	0_2_00007FF6B9C86590
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CCB59C	0_2_00007FF6B9CCB59C
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CD48FC	0_2_00007FF6B9CD48FC
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CDF8F8	0_2_00007FF6B9CDF8F8
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C947B0	0_2_00007FF6B9C947B0
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C8A740	0_2_00007FF6B9C8A740
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CBE764	0_2_00007FF6B9CBE764

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: String function: 00007FF6B9CA4AE0 appears 36 times
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: String function: 00007FF6B9CAC040 appears 144 times
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: String function: 00007FF6B9CB0700 appears 63 times

Source: classification engine

Classification label: mal48.winEXE@2/1@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2872:120:WilError_03

Source: wnGDKyXdAo.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

File read: C:\Users\user\Desktop\wnGDKyXdAo.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\wnGDKyXdAo.exe "C:\Users\user\Desktop\wnGDKyXdAo.exe"
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Section loaded: wininet.dll	Jump to behavior

Source: wnGDKyXdAo.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: wnGDKyXdAo.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: wnGDKyXdAo.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: wnGDKyXdAo.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: wnGDKyXdAo.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: wnGDKyXdAo.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: wnGDKyXdAo.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

Code function: 0_2_00007FF6B9CD227C EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00007FF6B9CD227C

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

Code function: 0_2_00007FF6B9CDCB44 GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,

0_2_00007FF6B9CDCB44

Contains functionality to query network adapater information

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

Code function: malloc,GetAdaptersInfo,free,malloc,GetAdaptersInfo,free,sprintf,free,

0_2_00007FF6B9C84030

Found evaded block containing many API calls

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Evaded block: after key decision
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Evaded block: after key decision
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Evaded block: after key decision

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: wnGDKyXdAo.exe, 00000000.00000002.1698080885.00000264FF860000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

API call chain: ExitProcess graph end node

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

Code function: 0_2_00007FF6B9CB72E0 IsDebuggerPresent,__crtUnhandledException,GetCurrentProcess,TerminateProcess,

0_2_00007FF6B9CB72E0

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

0_2_00007FF6B9CD227C

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

0_2_00007FF6B9CD227C

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

Code function: 0_2_00007FF6B9CC04E8 GetProcessHeap,

0_2_00007FF6B9CC04E8

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CC3868 SetUnhandledExceptionFilter,		0_2_00007FF6B9CC3868
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CBC73C SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00007FF6B9CBC73C

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

Code function: 0_2_00007FF6B9CBF8B8 cpuid

0_2_00007FF6B9CBF8B8

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: _getptd,EnumSystemLocalesW,	0_2_00007FF6B9CD4D28
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: _getptd,EnumSystemLocalesW,	0_2_00007FF6B9CD4C74
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: __crtGetLocaleInfoA,GetLastError,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,free,free,__crtGetLocaleInfoEx,_calloc_crt,__crtGetLocaleInfoEx,free,__crtGetLocaleInfoEx,_invoke_watson,	0_2_00007FF6B9CBEB88
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: __getlocaleinfo,_malloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,GetCPInfo,__crtLCMapStringA,__crtLCMapStringA,__crtGetStringTypeA,free,free,free,free,free,free,free,free,free,	0_2_00007FF6B9CB7EF4
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: _getptd,_getptd,LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,TestDefaultLanguage,	0_2_00007FF6B9CD4DBC
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_num,free,free,free,	0_2_00007FF6B9CD2DB8
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: _getptd,_getptd,LcidFromHexString,GetLocaleInfoW,TestDefaultLanguage,	0_2_00007FF6B9CD4FEC
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: __crtDownlevelLocaleNameToLCID,GetLocaleInfoW,	0_2_00007FF6B9CBCFE0
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: EnumSystemLocalesW,	0_2_00007FF6B9CBCF9C
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: _getptd,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,TestDefaultCountry,__crtGetLocaleInfoEx,TestDefaultCountry,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_getptd,__crtGetLocaleInfoEx,_invoke_watson,	0_2_00007FF6B9CD42D8
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: _getptd,_getptd,TranslateName,GetLcidFromLangCountry,GetLcidFromLanguage,TranslateName,GetLcidFromLangCountry,GetLcidFromLanguage,_getptd,EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,__crtDownlevelLCIDToLocaleName,__crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,_itow_s,	0_2_00007FF6B9CD5290
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: _getptd,__lc_wcstolc,__get_qualified_locale_downlevel,__get_qualified_locale,__lc_lctowcs,__crtGetLocaleInfoEx,GetACP,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,	0_2_00007FF6B9CC1248
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: _getptd,GetLocaleInfoW,	0_2_00007FF6B9CD51E8
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00007FF6B9CD5138
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: __crtGetLocaleInfoEx,malloc,__crtGetLocaleInfoEx,WideCharToMultiByte,free,	0_2_00007FF6B9CD24F8
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_00007FF6B9CD2654
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: __getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,	0_2_00007FF6B9CD3540
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,IsValidCodePage,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,__crtGetUserDefaultLocaleName,_invoke_watson,_invoke_watson,_getptd,_getptd,LcidFromHexString,GetLocaleInfoW,	0_2_00007FF6B9CD48FC
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: __crtGetLocaleInfoEx,	0_2_00007FF6B9CD47F8
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,free,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_mon,free,free,free,free,	0_2_00007FF6B9CD282C
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: __crtGetLocaleInfoEx,__crtGetLocaleInfoEx,GetACP,	0_2_00007FF6B9CD4744

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

Code function: 0_2_00007FF6B9CB7BB8 GetSystemTimeAsFileTime,

0_2_00007FF6B9CB7BB8

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

Code function: 0_2_00007FF6B9C837C0 GetUserNameA,

0_2_00007FF6B9C837C0

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

Code function: 0_2_00007FF6B9CCAD54 GetVersionExW,Concurrency::details::platform::InitializeSystemFunctionPointers,Concurrency::details::WinRT::Initialize,std::bad_exception::bad_exception,_CxxThrowException,std::bad_exception::bad_exception,_CxxThrowException,

0_2_00007FF6B9CCAD54

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CE10A0 Concurrency::details::VirtualProcessor::ThrowVirtualProcessorEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::WorkItem::Bind,		0_2_00007FF6B9CE10A0
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CE0158 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::WorkItem::Bind,Concurrency::details::SchedulerBase::GetInternalContext,		0_2_00007FF6B9CE0158

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Antivirus / Scanner detection for submitted sample

Source: wnGDKyXdAo.exe

Avira: detected

Source: wnGDKyXdAo.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

Code function: 0_2_00007FF6B9C835B0 recv,

0_2_00007FF6B9C835B0

Source: wnGDKyXdAo.exe

String found in binary or memory: https://http://Mozilla/5.0

Detected potential crypto function

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CCDA9C	0_2_00007FF6B9CCDA9C
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C9E053	0_2_00007FF6B9C9E053
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CC2020	0_2_00007FF6B9CC2020
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CD6F64	0_2_00007FF6B9CD6F64
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CC2644	0_2_00007FF6B9CC2644
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C91A00	0_2_00007FF6B9C91A00
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C839F0	0_2_00007FF6B9C839F0
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CE5CC8	0_2_00007FF6B9CE5CC8
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CBDBB4	0_2_00007FF6B9CBDBB4
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C9FB3E	0_2_00007FF6B9C9FB3E
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C9CB40	0_2_00007FF6B9C9CB40
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CB1B38	0_2_00007FF6B9CB1B38
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C8CB60	0_2_00007FF6B9C8CB60
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C96F32	0_2_00007FF6B9C96F32
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CCCE74	0_2_00007FF6B9CCCE74
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C9BE20	0_2_00007FF6B9C9BE20
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C88DD0	0_2_00007FF6B9C88DD0
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CB1DC4	0_2_00007FF6B9CB1DC4
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CB5124	0_2_00007FF6B9CB5124
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C95050	0_2_00007FF6B9C95050
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CC0010	0_2_00007FF6B9CC0010
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CE1FE4	0_2_00007FF6B9CE1FE4
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CC0FB0	0_2_00007FF6B9CC0FB0
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CB8F9C	0_2_00007FF6B9CB8F9C
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C85F70	0_2_00007FF6B9C85F70
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CC52FC	0_2_00007FF6B9CC52FC
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CD42D8	0_2_00007FF6B9CD42D8
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C9F298	0_2_00007FF6B9C9F298
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CC1248	0_2_00007FF6B9CC1248
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C85190	0_2_00007FF6B9C85190
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C94160	0_2_00007FF6B9C94160
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C92500	0_2_00007FF6B9C92500
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C8E480	0_2_00007FF6B9C8E480
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C854A0	0_2_00007FF6B9C854A0
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CD1450	0_2_00007FF6B9CD1450
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C93470	0_2_00007FF6B9C93470
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CE5474	0_2_00007FF6B9CE5474
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C87360	0_2_00007FF6B9C87360
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CC56AC	0_2_00007FF6B9CC56AC
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CEB698	0_2_00007FF6B9CEB698
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C965D0	0_2_00007FF6B9C965D0
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C9A594	0_2_00007FF6B9C9A594
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C86590	0_2_00007FF6B9C86590
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CCB59C	0_2_00007FF6B9CCB59C
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CD48FC	0_2_00007FF6B9CD48FC
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CDF8F8	0_2_00007FF6B9CDF8F8
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C947B0	0_2_00007FF6B9C947B0
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C8A740	0_2_00007FF6B9C8A740
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CBE764	0_2_00007FF6B9CBE764

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: String function: 00007FF6B9CA4AE0 appears 36 times
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: String function: 00007FF6B9CAC040 appears 144 times
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: String function: 00007FF6B9CB0700 appears 63 times

Source: classification engine

Classification label: mal48.winEXE@2/1@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2872:120:WilError_03

Source: wnGDKyXdAo.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

File read: C:\Users\user\Desktop\wnGDKyXdAo.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\wnGDKyXdAo.exe "C:\Users\user\Desktop\wnGDKyXdAo.exe"
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Section loaded: wininet.dll	Jump to behavior

Source: wnGDKyXdAo.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: wnGDKyXdAo.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: wnGDKyXdAo.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: wnGDKyXdAo.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: wnGDKyXdAo.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: wnGDKyXdAo.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: wnGDKyXdAo.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

0_2_00007FF6B9CD227C

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

0_2_00007FF6B9CDCB44

Contains functionality to query network adapater information

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

Code function: malloc,GetAdaptersInfo,free,malloc,GetAdaptersInfo,free,sprintf,free,

0_2_00007FF6B9C84030

Found evaded block containing many API calls

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Evaded block: after key decision
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Evaded block: after key decision
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Evaded block: after key decision

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: wnGDKyXdAo.exe, 00000000.00000002.1698080885.00000264FF860000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

API call chain: ExitProcess graph end node

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

Code function: 0_2_00007FF6B9CB72E0 IsDebuggerPresent,__crtUnhandledException,GetCurrentProcess,TerminateProcess,

0_2_00007FF6B9CB72E0

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

0_2_00007FF6B9CD227C

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

0_2_00007FF6B9CD227C

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

Code function: 0_2_00007FF6B9CC04E8 GetProcessHeap,

0_2_00007FF6B9CC04E8

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CC3868 SetUnhandledExceptionFilter,		0_2_00007FF6B9CC3868
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CBC73C SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00007FF6B9CBC73C

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

Code function: 0_2_00007FF6B9CBF8B8 cpuid

0_2_00007FF6B9CBF8B8

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: _getptd,EnumSystemLocalesW,	0_2_00007FF6B9CD4D28
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: _getptd,EnumSystemLocalesW,	0_2_00007FF6B9CD4C74
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: __crtGetLocaleInfoA,GetLastError,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,free,free,__crtGetLocaleInfoEx,_calloc_crt,__crtGetLocaleInfoEx,free,__crtGetLocaleInfoEx,_invoke_watson,	0_2_00007FF6B9CBEB88
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: __getlocaleinfo,_malloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,GetCPInfo,__crtLCMapStringA,__crtLCMapStringA,__crtGetStringTypeA,free,free,free,free,free,free,free,free,free,	0_2_00007FF6B9CB7EF4
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: _getptd,_getptd,LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,TestDefaultLanguage,	0_2_00007FF6B9CD4DBC
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_num,free,free,free,	0_2_00007FF6B9CD2DB8
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: _getptd,_getptd,LcidFromHexString,GetLocaleInfoW,TestDefaultLanguage,	0_2_00007FF6B9CD4FEC
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: __crtDownlevelLocaleNameToLCID,GetLocaleInfoW,	0_2_00007FF6B9CBCFE0
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: EnumSystemLocalesW,	0_2_00007FF6B9CBCF9C
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: _getptd,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,TestDefaultCountry,__crtGetLocaleInfoEx,TestDefaultCountry,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_getptd,__crtGetLocaleInfoEx,_invoke_watson,	0_2_00007FF6B9CD42D8
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: _getptd,_getptd,TranslateName,GetLcidFromLangCountry,GetLcidFromLanguage,TranslateName,GetLcidFromLangCountry,GetLcidFromLanguage,_getptd,EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,__crtDownlevelLCIDToLocaleName,__crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,_itow_s,	0_2_00007FF6B9CD5290
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: _getptd,__lc_wcstolc,__get_qualified_locale_downlevel,__get_qualified_locale,__lc_lctowcs,__crtGetLocaleInfoEx,GetACP,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,	0_2_00007FF6B9CC1248
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: _getptd,GetLocaleInfoW,	0_2_00007FF6B9CD51E8
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00007FF6B9CD5138
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: __crtGetLocaleInfoEx,malloc,__crtGetLocaleInfoEx,WideCharToMultiByte,free,	0_2_00007FF6B9CD24F8
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_00007FF6B9CD2654
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: __getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,	0_2_00007FF6B9CD3540
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,IsValidCodePage,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,__crtGetUserDefaultLocaleName,_invoke_watson,_invoke_watson,_getptd,_getptd,LcidFromHexString,GetLocaleInfoW,	0_2_00007FF6B9CD48FC
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: __crtGetLocaleInfoEx,	0_2_00007FF6B9CD47F8
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,free,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_mon,free,free,free,free,	0_2_00007FF6B9CD282C
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: __crtGetLocaleInfoEx,__crtGetLocaleInfoEx,GetACP,	0_2_00007FF6B9CD4744

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

Code function: 0_2_00007FF6B9CB7BB8 GetSystemTimeAsFileTime,

0_2_00007FF6B9CB7BB8

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

Code function: 0_2_00007FF6B9C837C0 GetUserNameA,

0_2_00007FF6B9C837C0

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

0_2_00007FF6B9CCAD54

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CE10A0 Concurrency::details::VirtualProcessor::ThrowVirtualProcessorEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::WorkItem::Bind,		0_2_00007FF6B9CE10A0
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CE0158 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::WorkItem::Bind,Concurrency::details::SchedulerBase::GetInternalContext,		0_2_00007FF6B9CE0158

ID:	1540690
Product:	CloudBasic
Start time:	01:02:57
Start date:	24.10.2024
Sample:	wnGDKyXdAo
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	65265a6752011edf039bdeafeb4e1551
SHA1:	7414c76369b2e5762c93936a22ba530d80488d10
SHA256:	3fe5fd377ea9bde5ca15723d214916b9a8e1b780bd49fab6e75412315c155b52
Filetype:	Win64 Executable Console (202006/5) 92.65%

Windows Analysis Report
wnGDKyXdAo.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report wnGDKyXdAo.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
wnGDKyXdAo.exe