Windows Analysis Report
#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe

Overview

General Information

Sample name: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe
renamed because original name is a hash value
Original sample name: _.hpw.scr.exe
Analysis ID: 1543679
MD5: 697d9c4f0800f93a19b89bf923d4135a
SHA1: 6d77a6b41de8d1f24bee70ea628029fe7784077f
SHA256: 8071c7b74e7ca2769f3746ec8cc007caee65474bb77808b7a84c84f877452605
Tags: exeuser-zhuzhu0009
Infos:

Detection

Score: 69
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Compliance

Score: 31
Range: 0 - 100

Signatures

Detected unpacking (changes PE section rights)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Suricata IDS alerts for network traffic
Detected PE file pumping (to bypass AV & sandboxing)
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking mutex)
Injects a PE file into a foreign processes
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Contains functionality to delete services
Contains functionality to enumerate running services
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
EXE planting / hijacking vulnerabilities found
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Explorer Process Tree Break
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

EXE planting / hijacking vulnerabilities found
Source: C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe EXE: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Jump to behavior

Compliance
barindex
EXE planting / hijacking vulnerabilities found
Source: C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe EXE: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Jump to behavior
Uses 32bit PE files
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe Static PE information: certificate valid
Source: Binary string: c:\Users\86130\Desktop\cert\debug\cert.pdb source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, 00000000.00000003.1718229560.0000000005E48000.00000004.00000020.00020000.00000000.sdmp, TASLogin.exe, 00000008.00000002.1858149624.0000000010299000.00000002.00000001.01000000.0000000F.sdmp, TASLogin.exe, 0000000C.00000002.1957609639.0000000010299000.00000002.00000001.01000000.0000000F.sdmp, TASLogin.exe, 0000000E.00000002.2037664334.0000000010299000.00000002.00000001.01000000.0000000F.sdmp, TASLoginBase.dll.0.dr
Source: Binary string: D:\Workspace\p-2ed35f15174943f6b676502b51f53d81\Output\TASLogin.pdb source: TASLogin.exe, TASLogin.exe, 0000000E.00000000.2034919769.000000000044A000.00000002.00000001.01000000.0000000E.sdmp, TASLogin.exe, 0000000F.00000000.2035415053.000000000044A000.00000002.00000001.01000000.0000000E.sdmp, TASLogin.exe.0.dr
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 9_2_00408694 FindFirstFileW,FindClose, 9_2_00408694
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 9_2_004080C8 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW, 9_2_004080C8
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 13_2_00408694 FindFirstFileW,FindClose, 13_2_00408694
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 13_2_004080C8 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW, 13_2_004080C8
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 15_2_00408694 FindFirstFileW,FindClose, 15_2_00408694
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 15_2_004080C8 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW, 15_2_004080C8
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 9_2_00427EE0 GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,StrCmpNIW, 9_2_00427EE0

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.4:49740 -> 137.220.137.85:24818
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49740 -> 137.220.137.85:24818
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: BCPL-SGBGPNETGlobalASNSG BCPL-SGBGPNETGlobalASNSG
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 9_2_0042B0E8 recv, 9_2_0042B0E8
Source: global traffic DNS traffic detected: DNS query: 24818.windows-updata.com
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, 00000000.00000003.1695127501.00000000058EE000.00000004.00000020.00020000.00000000.sdmp, TASLogin.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, 00000000.00000003.1695127501.00000000058EE000.00000004.00000020.00020000.00000000.sdmp, #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, 00000000.00000003.1695264229.0000000005B81000.00000004.00000020.00020000.00000000.sdmp, TASLogin.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, TASLogin.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, 00000000.00000003.1695127501.00000000058EE000.00000004.00000020.00020000.00000000.sdmp, #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, 00000000.00000003.1695264229.0000000005B81000.00000004.00000020.00020000.00000000.sdmp, TASLogin.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, 00000000.00000003.1695127501.00000000058EE000.00000004.00000020.00020000.00000000.sdmp, #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, 00000000.00000003.1695264229.0000000005B81000.00000004.00000020.00020000.00000000.sdmp, TASLogin.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, TASLogin.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, TASLogin.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, TASLogin.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, 00000000.00000003.1695127501.00000000058EE000.00000004.00000020.00020000.00000000.sdmp, TASLogin.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, 00000000.00000003.1695127501.00000000058EE000.00000004.00000020.00020000.00000000.sdmp, #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, 00000000.00000003.1695264229.0000000005B81000.00000004.00000020.00020000.00000000.sdmp, TASLogin.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, 00000000.00000003.1695127501.00000000058EE000.00000004.00000020.00020000.00000000.sdmp, #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, 00000000.00000003.1695264229.0000000005B81000.00000004.00000020.00020000.00000000.sdmp, TASLogin.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, TASLogin.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: TASLogin.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, 00000000.00000003.1695127501.00000000058EE000.00000004.00000020.00020000.00000000.sdmp, TASLogin.exe.0.dr String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, 00000000.00000003.1695127501.00000000058EE000.00000004.00000020.00020000.00000000.sdmp, #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, 00000000.00000003.1695264229.0000000005B81000.00000004.00000020.00020000.00000000.sdmp, TASLogin.exe.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, 00000000.00000003.1695127501.00000000058EE000.00000004.00000020.00020000.00000000.sdmp, TASLogin.exe.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, 00000000.00000003.1695127501.00000000058EE000.00000004.00000020.00020000.00000000.sdmp, #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, 00000000.00000003.1695264229.0000000005B81000.00000004.00000020.00020000.00000000.sdmp, TASLogin.exe.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, 00000000.00000003.1695127501.00000000058EE000.00000004.00000020.00020000.00000000.sdmp, #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, 00000000.00000003.1695264229.0000000005B81000.00000004.00000020.00020000.00000000.sdmp, TASLogin.exe.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, 00000000.00000003.1695127501.00000000058EE000.00000004.00000020.00020000.00000000.sdmp, TASLogin.exe.0.dr String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, 00000000.00000003.1695127501.00000000058EE000.00000004.00000020.00020000.00000000.sdmp, #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, 00000000.00000003.1695264229.0000000005B81000.00000004.00000020.00020000.00000000.sdmp, TASLogin.exe.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, 00000000.00000003.1695127501.00000000058EE000.00000004.00000020.00020000.00000000.sdmp, #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, 00000000.00000003.1695264229.0000000005B81000.00000004.00000020.00020000.00000000.sdmp, TASLogin.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, TASLogin.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, TASLogin.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, 00000000.00000003.1695127501.00000000058EE000.00000004.00000020.00020000.00000000.sdmp, TASLogin.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0L
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, 00000000.00000003.1695127501.00000000058EE000.00000004.00000020.00020000.00000000.sdmp, #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, 00000000.00000003.1695264229.0000000005B81000.00000004.00000020.00020000.00000000.sdmp, TASLogin.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, TASLogin.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe String found in binary or memory: http://ocsp.sectigo.com04
Source: explorer.exe, 00000002.00000002.2960243626.0000000005D92000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.mDD
Source: explorer.exe, 00000002.00000002.2960243626.0000000005D92000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.microsof
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, 00000000.00000003.1695127501.00000000058EE000.00000004.00000020.00020000.00000000.sdmp, #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, 00000000.00000003.1695264229.0000000005B81000.00000004.00000020.00020000.00000000.sdmp, TASLogin.exe.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, 00000000.00000003.1695127501.00000000058EE000.00000004.00000020.00020000.00000000.sdmp, TASLogin.exe.0.dr String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe String found in binary or memory: https://sectigo.com/CPS0
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe String found in binary or memory: https://support.google.com/chrome/?p=usage_stats_crash_reports
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, 00000000.00000003.1695127501.00000000058EE000.00000004.00000020.00020000.00000000.sdmp, #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, 00000000.00000003.1695264229.0000000005B81000.00000004.00000020.00020000.00000000.sdmp, TASLogin.exe.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Contains functionality to delete services
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 9_2_0042D600 OpenSCManagerW,OpenServiceW,StartServiceW,ControlService,DeleteService,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle, 9_2_0042D600
Detected potential crypto function
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 9_2_004208F4 9_2_004208F4
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 9_2_004250A3 9_2_004250A3
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 9_2_0041E0A4 9_2_0041E0A4
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 9_2_004248B4 9_2_004248B4
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 9_2_0042215C 9_2_0042215C
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 9_2_0041E9D4 9_2_0041E9D4
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 9_2_00425496 9_2_00425496
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 9_2_00424DF9 9_2_00424DF9
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 9_2_00424600 9_2_00424600
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 9_2_004256E7 9_2_004256E7
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 13_2_004208F4 13_2_004208F4
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 13_2_004250A3 13_2_004250A3
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 13_2_0041E0A4 13_2_0041E0A4
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 13_2_004248B4 13_2_004248B4
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 13_2_0042215C 13_2_0042215C
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 13_2_0041E9D4 13_2_0041E9D4
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 13_2_00425496 13_2_00425496
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 13_2_00424DF9 13_2_00424DF9
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 13_2_00424600 13_2_00424600
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 13_2_004256E7 13_2_004256E7
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 15_2_004208F4 15_2_004208F4
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 15_2_004250A3 15_2_004250A3
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 15_2_0041E0A4 15_2_0041E0A4
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 15_2_004248B4 15_2_004248B4
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 15_2_0042215C 15_2_0042215C
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 15_2_0041E9D4 15_2_0041E9D4
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 15_2_00425496 15_2_00425496
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 15_2_00424DF9 15_2_00424DF9
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 15_2_00424600 15_2_00424600
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 15_2_004256E7 15_2_004256E7
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe CA1F26619B4483F4BDA6B4D352B58A9C4F30C2E985E62E761B7D6F3440922264
Found potential string decryption / allocating functions
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: String function: 00406000 appears 33 times
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: String function: 00406A80 appears 39 times
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: String function: 00406BB8 appears 31 times
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: String function: 00406060 appears 42 times
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: String function: 004063A0 appears 36 times
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: String function: 00406824 appears 582 times
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: String function: 004090B0 appears 39 times
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: String function: 0040ADB8 appears 600 times
PE file contains executable resources (Code or Archives)
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe Static PE information: Resource name: ZIP type: Zip archive data, at least v2.0 to extract, compression method=deflate
Uses 32bit PE files
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: TASLogin.exe.0.dr Static PE information: Section: .ace ZLIB complexity 0.99965625
Source: TASLogin.exe.0.dr Static PE information: Section: .tvm0 ZLIB complexity 0.9984584530651341
Source: classification engine Classification label: mal69.evad.winEXE@16/21@1/1
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 9_2_0043BC08 LookupPrivilegeValueW,AdjustTokenPrivileges, 9_2_0043BC08
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 9_2_0043D53C GetDiskFreeSpaceW, 9_2_0043D53C
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 9_2_0040BA58 GetModuleHandleW,FindResourceW,LoadResource,LockResource,FreeResource, 9_2_0040BA58
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 9_2_0042D600 OpenSCManagerW,OpenServiceW,StartServiceW,ControlService,DeleteService,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle, 9_2_0042D600
Source: C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe File created: C:\Users\Public\BRBUAU Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7744:120:WilError_03
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Mutant created: \Sessions\1\BaseNamedObjects\$0_4BF0F494
Source: C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe Process created: C:\Windows\explorer.exe
Source: unknown Process created: C:\Windows\explorer.exe
Source: C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe Process created: C:\Windows\explorer.exe Jump to behavior
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown Process created: C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe "C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe"
Source: C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe C:\Users\Public\Music\LI1L1K
Source: unknown Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: C:\Windows\explorer.exe Process created: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe "C:\Users\Public\Documents\A9Q9P9\TASLogin.exe"
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Process created: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe C:\Users\Public\Documents\A9Q9P9\TASLogin.exe
Source: unknown Process created: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe "C:\Users\Public\Documents\A9Q9P9\TASLogin.exe"
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Process created: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe C:\Users\Public\Documents\A9Q9P9\TASLogin.exe
Source: unknown Process created: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe "C:\Users\Public\Documents\A9Q9P9\TASLogin.exe"
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Process created: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe C:\Users\Public\Documents\A9Q9P9\TASLogin.exe
Source: C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe C:\Users\Public\Music\LI1L1K Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe "C:\Users\Public\Documents\A9Q9P9\TASLogin.exe" Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Process created: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Process created: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Process created: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Jump to behavior
Source: C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: aepic.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: twinapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ninput.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: actxprxy.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: aepic.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: twinapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ninput.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: actxprxy.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: duser.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: thumbcache.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.ui.fileexplorer.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cldapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: fltlib.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: uiribbon.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.staterepositoryclient.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: structuredquery.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: msiso.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: smartscreenps.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: twinui.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: actxprxy.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.ui.appdefaults.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.ui.immersive.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: uiautomationcore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: duser.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: uianimation.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.ui.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windowmanagementapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: inputhost.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: thumbcache.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: tiledatarepository.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: staterepository.core.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.staterepository.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.staterepositorycore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: mrmcorer.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: directmanipulation.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: tasloginbase.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: oledlg.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: schedcli.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: tasloginbase.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: oledlg.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: schedcli.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: tasloginbase.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: oledlg.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: schedcli.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe Static PE information: certificate valid
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe Static file information: File size 57700088 > 1048576
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x368b000
Source: Binary string: c:\Users\86130\Desktop\cert\debug\cert.pdb source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe, 00000000.00000003.1718229560.0000000005E48000.00000004.00000020.00020000.00000000.sdmp, TASLogin.exe, 00000008.00000002.1858149624.0000000010299000.00000002.00000001.01000000.0000000F.sdmp, TASLogin.exe, 0000000C.00000002.1957609639.0000000010299000.00000002.00000001.01000000.0000000F.sdmp, TASLogin.exe, 0000000E.00000002.2037664334.0000000010299000.00000002.00000001.01000000.0000000F.sdmp, TASLoginBase.dll.0.dr
Source: Binary string: D:\Workspace\p-2ed35f15174943f6b676502b51f53d81\Output\TASLogin.pdb source: TASLogin.exe, TASLogin.exe, 0000000E.00000000.2034919769.000000000044A000.00000002.00000001.01000000.0000000E.sdmp, TASLogin.exe, 0000000F.00000000.2035415053.000000000044A000.00000002.00000001.01000000.0000000E.sdmp, TASLogin.exe.0.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Unpacked PE file: 9.2.TASLogin.exe.400000.0.unpack .ace:ER;.ace:R;.ace:W;.ace:R;.ace:W;.ace:R;.tvm0:ER;.ace:R;.ace:EW; vs .text:ER;.itext:ER;.data:W;.bss:W;.idata:W;.didata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R;
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Unpacked PE file: 13.2.TASLogin.exe.400000.0.unpack .ace:ER;.ace:R;.ace:W;.ace:R;.ace:W;.ace:R;.tvm0:ER;.ace:R;.ace:EW; vs .text:ER;.itext:ER;.data:W;.bss:W;.idata:W;.didata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R;
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Unpacked PE file: 15.2.TASLogin.exe.400000.0.unpack .ace:ER;.ace:R;.ace:W;.ace:R;.ace:W;.ace:R;.tvm0:ER;.ace:R;.ace:EW; vs .text:ER;.itext:ER;.data:W;.bss:W;.idata:W;.didata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .ace
PE file contains sections with non-standard names
Source: TASLogin.exe.0.dr Static PE information: section name: .ace
Source: TASLogin.exe.0.dr Static PE information: section name: .ace
Source: TASLogin.exe.0.dr Static PE information: section name: .ace
Source: TASLogin.exe.0.dr Static PE information: section name: .ace
Source: TASLogin.exe.0.dr Static PE information: section name: .ace
Source: TASLogin.exe.0.dr Static PE information: section name: .ace
Source: TASLogin.exe.0.dr Static PE information: section name: .tvm0
Source: TASLogin.exe.0.dr Static PE information: section name: .ace
Source: TASLogin.exe.0.dr Static PE information: section name: .ace
Source: TASLoginBase.dll.0.dr Static PE information: section name: .textbss
Source: TASLoginBase.dll.0.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe Code function: 0_3_05BBB761 push FFFFFFA6h; iretd 0_3_05BBB76B
Source: C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe Code function: 0_3_05BBB761 push FFFFFFA6h; iretd 0_3_05BBB76B
Source: C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe Code function: 0_3_05BBB761 push FFFFFFA6h; iretd 0_3_05BBB76B
Source: C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe Code function: 0_3_05BBB7E1 push FFFFFFA6h; iretd 0_3_05BBB76B
Source: C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe Code function: 0_3_05BBB7E1 push FFFFFFA6h; iretd 0_3_05BBB76B
Source: C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe Code function: 0_3_05BBB7E1 push FFFFFFA6h; iretd 0_3_05BBB76B
Source: C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe Code function: 0_3_05BBB761 push FFFFFFA6h; iretd 0_3_05BBB76B
Source: C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe Code function: 0_3_05BBB761 push FFFFFFA6h; iretd 0_3_05BBB76B
Source: C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe Code function: 0_3_05BBB761 push FFFFFFA6h; iretd 0_3_05BBB76B
Source: C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe Code function: 0_3_05BBB7E1 push FFFFFFA6h; iretd 0_3_05BBB76B
Source: C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe Code function: 0_3_05BBB7E1 push FFFFFFA6h; iretd 0_3_05BBB76B
Source: C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe Code function: 0_3_05BBB7E1 push FFFFFFA6h; iretd 0_3_05BBB76B
Source: C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe Code function: 0_3_05BBB761 push FFFFFFA6h; iretd 0_3_05BBB76B
Source: C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe Code function: 0_3_05BBB761 push FFFFFFA6h; iretd 0_3_05BBB76B
Source: C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe Code function: 0_3_05BBB761 push FFFFFFA6h; iretd 0_3_05BBB76B
Source: C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe Code function: 0_3_05BBB7E1 push FFFFFFA6h; iretd 0_3_05BBB76B
Source: C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe Code function: 0_3_05BBB7E1 push FFFFFFA6h; iretd 0_3_05BBB76B
Source: C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe Code function: 0_3_05BBB7E1 push FFFFFFA6h; iretd 0_3_05BBB76B
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 8_2_0044CD4D push esi; ret 8_2_0044CD56
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 9_2_00426840 push ecx; mov dword ptr [esp], ecx 9_2_00426845
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 9_2_00443318 push 004433B5h; ret 9_2_004433AD
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 9_2_00426448 push ecx; mov dword ptr [esp], edx 9_2_00426449
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 9_2_00426408 push ecx; mov dword ptr [esp], edx 9_2_00426409
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 9_2_00431070 push 004310B8h; ret 9_2_004310B0
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 9_2_0043E8C0 push 0043E935h; ret 9_2_0043E92D
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 9_2_0042C0EC push 0042C138h; ret 9_2_0042C130
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 9_2_0042B0AC push 0042B0E4h; ret 9_2_0042B0DC
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 9_2_004159E0 push ecx; mov dword ptr [esp], eax 9_2_004159E2
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 9_2_004079FD pushfd ; retf 9_2_004079FE
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 9_2_00415AA4 push ecx; mov dword ptr [esp], eax 9_2_00415AA6
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 9_2_0042C380 push 0042C3B8h; ret 9_2_0042C3B0
Source: TASLogin.exe.0.dr Static PE information: section name: .ace entropy: 7.998370715747767
Source: TASLogin.exe.0.dr Static PE information: section name: .tvm0 entropy: 7.997724175014119
Source: TASLogin.exe.0.dr Static PE information: section name: .ace entropy: 7.977928914872778
Drops PE files
Source: C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe File created: C:\Users\Public\Documents\A9Q9P9\TASLoginBase.dll Jump to dropped file
Source: C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe File created: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Jump to dropped file
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 9_2_0042D600 OpenSCManagerW,OpenServiceW,StartServiceW,ControlService,DeleteService,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle, 9_2_0042D600
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run IFfmsjhgsda Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run IFfmsjhgsda Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: icon122.png
Source: C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Detected PE file pumping (to bypass AV & sandboxing)
Source: #Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe Static PE information: Resource name: RT_RCDATA size: 0x335c318
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Contains functionality to enumerate running services
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: OpenSCManagerW,EnumServicesStatusExW,OpenServiceW,QueryServiceConfigW,QueryServiceConfig2W,CloseServiceHandle,CloseServiceHandle, 9_2_0042D1D4
Contains functionality to query network adapater information
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: VirtualAlloc,GetAdaptersInfo,lstrlenW,VirtualFree, 9_2_0040B0EC
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: VirtualAlloc,GetAdaptersInfo,lstrlenW,VirtualFree, 9_2_0040B0EA
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: VirtualAlloc,GetAdaptersInfo,lstrlenW,VirtualFree, 9_2_0040AEE0
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Window / User API: threadDelayed 6667 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe API coverage: 9.1 %
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe API coverage: 9.1 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe TID: 8044 Thread sleep time: -66670s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Last function: Thread delayed
Sleep loop found (likely to delay execution)
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Thread sleep count: Count: 6667 delay: -10 Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 9_2_00408694 FindFirstFileW,FindClose, 9_2_00408694
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 9_2_004080C8 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW, 9_2_004080C8
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 13_2_00408694 FindFirstFileW,FindClose, 13_2_00408694
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 13_2_004080C8 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW, 13_2_004080C8
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 15_2_00408694 FindFirstFileW,FindClose, 15_2_00408694
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 15_2_004080C8 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW, 15_2_004080C8
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 9_2_00427EE0 GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,StrCmpNIW, 9_2_00427EE0
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 9_2_00408F10 GetSystemInfo, 9_2_00408F10
Source: TASLogin.exe, 00000009.00000002.2959716114.0000000000598000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllzzrb
Source: explorer.exe, 00000002.00000002.2960624197.00000000067B1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}a
Source: TASLogin.exe, 0000000D.00000002.1956635036.00000000006E8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllJ
Source: explorer.exe, 00000002.00000002.2960624197.00000000067B1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA
Source: TASLogin.exe, 0000000F.00000002.2036518898.0000000000528000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}}
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe API call chain: ExitProcess graph end node
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe API call chain: ExitProcess graph end node
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe API call chain: ExitProcess graph end node
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe API call chain: ExitProcess graph end node
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe API call chain: ExitProcess graph end node
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe API call chain: ExitProcess graph end node
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\#Uc774#Uc9c0#Ud604_#Uc785#Uc0ac#Uc9c0#Uc6d0#Uc11c.hpw.scr.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Found API chain indicative of debugger detection
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 9_2_0042CD20 GetProcessHeap,lstrlenW, 9_2_0042CD20

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Memory written: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Memory written: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Memory written: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Process created: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Process created: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Process created: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Jump to behavior
Source: TASLogin.exe, 00000009.00000002.2960043554.0000000000A5F000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: Program ManagerA
Source: TASLogin.exe, 00000009.00000003.1861289737.000000000063C000.00000004.00000020.00020000.00000000.sdmp, TASLogin.exe, 00000009.00000003.1861511431.000000000063C000.00000004.00000020.00020000.00000000.sdmp, TASLogin.exe, 00000009.00000003.1861556411.000000000063C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $*2024-10-28 04:05:21$*4515531$*Program Manager$*$*3535539496$*zxcv12321$*1111111$*x
Source: TASLogin.exe, 00000009.00000002.2960043554.0000000000A2B000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: $*2024-10-28 04:05:21$*4515531$*Program Manager$*$*3535539496$*zxcv12321$*1111111$*host.exe
Source: TASLogin.exe, 00000009.00000002.2959716114.000000000063C000.00000004.00000020.00020000.00000000.sdmp, TASLogin.exe, 00000009.00000002.2959716114.00000000005E5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $*2024-10-28 04:05:21$*4515531$*Program Manager$*$*3535539496$*zxcv12321$*1111111$*
Contains functionality to query CPU information (cpuid)
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 9_2_004046A0 cpuid 9_2_004046A0
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: GetUserDefaultUILanguage,GetLocaleInfoW, 9_2_004087CC
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: GetLocaleInfoW, 9_2_0041A844
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: GetLocaleInfoW, 9_2_0041D2E0
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 9_2_00407C6C
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: EnumSystemLocalesW, 9_2_0041D4C8
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: GetLocaleInfoW, 9_2_0041A7F8
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: GetUserDefaultUILanguage,GetLocaleInfoW, 13_2_004087CC
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: GetLocaleInfoW, 13_2_0041A844
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: GetLocaleInfoW, 13_2_0041D2E0
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 13_2_00407C6C
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: EnumSystemLocalesW, 13_2_0041D4C8
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: GetLocaleInfoW, 13_2_0041A7F8
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: GetUserDefaultUILanguage,GetLocaleInfoW, 15_2_004087CC
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: GetLocaleInfoW, 15_2_0041A844
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: GetLocaleInfoW, 15_2_0041D2E0
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 15_2_00407C6C
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: EnumSystemLocalesW, 15_2_0041D4C8
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: GetLocaleInfoW, 15_2_0041A7F8
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 9_2_0041A7A8 GetLocalTime, 9_2_0041A7A8
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 9_2_0043B588 GetUserNameW, 9_2_0043B588
Source: C:\Users\Public\Documents\A9Q9P9\TASLogin.exe Code function: 9_2_0041C9BC GetVersionExW, 9_2_0041C9BC
Searches for user specific document files
Source: C:\Windows\explorer.exe Directory queried: C:\Users\Public\Documents Jump to behavior
Source: C:\Windows\explorer.exe Directory queried: C:\Users\Public\Documents\A9Q9P9 Jump to behavior
Source: C:\Windows\explorer.exe Directory queried: C:\Users\Public\Documents\A9Q9P9 Jump to behavior
Source: C:\Windows\explorer.exe Directory queried: C:\Users\Public\Documents Jump to behavior
Source: C:\Windows\explorer.exe Directory queried: C:\Users\Public\Documents\A9Q9P9 Jump to behavior
Source: C:\Windows\explorer.exe Directory queried: C:\Users\Public\Documents\A9Q9P9 Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1543679 Sample: #Uc774#Uc9c0#Ud604_#Uc785#U... Startdate: 28/10/2024 Architecture: WINDOWS Score: 69 34 24818.windows-updata.com 2->34 46 Suricata IDS alerts for network traffic 2->46 48 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->48 50 Detected PE file pumping (to bypass AV & sandboxing) 2->50 52 3 other signatures 2->52 8 explorer.exe 15 9 2->8         started        10 TASLogin.exe 2->10         started        13 TASLogin.exe 2->13         started        15 3 other processes 2->15 signatures3 process4 file5 18 TASLogin.exe 1 8->18         started        54 Injects a PE file into a foreign processes 10->54 21 TASLogin.exe 10->21         started        23 TASLogin.exe 13->23         started        30 C:\Users\Public\Documents\...\TASLogin.exe, PE32 15->30 dropped 32 C:\Users\Public\...\TASLoginBase.dll, PE32 15->32 dropped 25 explorer.exe 1 15->25         started        signatures6 process7 signatures8 38 Detected unpacking (changes PE section rights) 18->38 40 Found evasive API chain (may stop execution after checking mutex) 18->40 42 Found API chain indicative of debugger detection 18->42 44 Injects a PE file into a foreign processes 18->44 27 TASLogin.exe 1 18->27         started        process9 dnsIp10 36 24818.windows-updata.com 137.220.137.85, 24818, 49740 BCPL-SGBGPNETGlobalASNSG Singapore 27->36
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
137.220.137.85
 24818.windows-updata.com Singapore
64050 BCPL-SGBGPNETGlobalASNSG true

Contacted Domains

Name IP Active
24818.windows-updata.com 137.220.137.85 true