Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
WirelessMedia.exe

Overview

General Information

Sample name:WirelessMedia.exe
Analysis ID:1544380
MD5:014a54772378c797b10fc7f764aeb070
SHA1:30892aa18b807e9fb9de4629f9c00a495f7152e7
SHA256:fa24b05dae7d2d915e3a71106509df6fe3892b35337fcb81e6bb1d99bb0b5dfe
Infos:

Detection

Score:5
Range:0 - 100
Whitelisted:false
Confidence:0%

Compliance

Score:47
Range:0 - 100

Signatures

Abnormal high CPU Usage
Checks for available system drives (often done to infect USB drives)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sleep loop found (likely to delay execution)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • WirelessMedia.exe (PID: 7340 cmdline: "C:\Users\user\Desktop\WirelessMedia.exe" MD5: 014A54772378C797B10FC7F764AEB070)
    • WirelessMediaAutoServiceC3.exe (PID: 7380 cmdline: "C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exe" MD5: 155592EEF1B36C627ED48E601B9D5AF7)
    • WirelessMediaMain.exe (PID: 7396 cmdline: "C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exe" MD5: 732534B20FF487EC1AE4E4B39C8E06A4)
  • WirelessMediaAutoServiceC3.exe (PID: 7564 cmdline: "C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exe" MD5: 155592EEF1B36C627ED48E601B9D5AF7)
  • WirelessMediaAutoServiceC3.exe (PID: 7768 cmdline: "C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exe" MD5: 155592EEF1B36C627ED48E601B9D5AF7)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\WirelessMedia.exe, ProcessId: 7340, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Auto_Agent_WirelessMediaC3

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: WirelessMedia.exe, 00000000.00000002.1679451694.000000000003A000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_01c59e3c-7

Compliance

barindex
Uses 32bit PE files
Source: WirelessMedia.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
PE / OLE file has a valid certificate
Source: WirelessMedia.exeStatic PE information: certificate valid
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: WirelessMedia.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Binary contains paths to debug symbols
Source: Binary string: F:\gs1\VS\out\binaries\x86ret\bin\i386\DPCA.pdb source: WirelessMedia.exe, 00000000.00000002.1679451694.000000000094D000.00000040.00000001.01000000.00000003.sdmp, WirelessMediaMain.exe, 00000002.00000002.4131800205.00000000016B4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe.0.dr
Source: Binary string: F:\gs1\VS\out\binaries\x86ret\bin\i386\DPCA.pdb? source: WirelessMedia.exe, 00000000.00000002.1679451694.000000000094D000.00000040.00000001.01000000.00000003.sdmp, WirelessMediaMain.exe, 00000002.00000002.4131800205.00000000016B4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe.0.dr
Source: Binary string: G:\git_code\Custom_new_ui\guonei\windows_new_ui\Release\WirelessMediaAutoServiceC3.pdb source: WirelessMedia.exe, 00000000.00000002.1679451694.000000000003A000.00000040.00000001.01000000.00000003.sdmp, WirelessMediaAutoServiceC3.exe, 00000001.00000002.4131018854.00000000008B6000.00000002.00000001.01000000.00000006.sdmp, WirelessMediaAutoServiceC3.exe, 00000001.00000000.1674756084.00000000008B6000.00000002.00000001.01000000.00000006.sdmp, WirelessMediaAutoServiceC3.exe, 00000003.00000002.1793005366.00000000008B6000.00000002.00000001.01000000.00000006.sdmp, WirelessMediaAutoServiceC3.exe, 00000003.00000000.1792521725.00000000008B6000.00000002.00000001.01000000.00000006.sdmp, WirelessMediaAutoServiceC3.exe, 00000005.00000002.1873697861.00000000008B6000.00000002.00000001.01000000.00000006.sdmp, WirelessMediaAutoServiceC3.exe, 00000005.00000000.1873221967.00000000008B6000.00000002.00000001.01000000.00000006.sdmp, WirelessMediaAutoServiceC3.exe.0.dr
Source: Binary string: G:\git_code\Custom_new_ui\guonei\windows_new_ui\Release\WirelessMediaMain.pdbr source: WirelessMedia.exe, 00000000.00000002.1679451694.000000000003A000.00000040.00000001.01000000.00000003.sdmp, WirelessMediaMain.exe, 00000002.00000002.4131454423.00000000013F4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe, 00000002.00000000.1678608052.00000000013F4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe.0.dr
Source: Binary string: F:\gx\VS\out\binaries\x86ret\bin\i386\DPCA.pdb= source: WirelessMedia.exe, 00000000.00000002.1679451694.0000000000A8D000.00000040.00000001.01000000.00000003.sdmp, WirelessMediaMain.exe, 00000002.00000000.1678756490.00000000017F4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe.0.dr
Source: Binary string: G:\git_code\Custom_new_ui\guonei\windows_new_ui\Release\WirelessMediaMain.pdb source: WirelessMedia.exe, 00000000.00000002.1679451694.000000000003A000.00000040.00000001.01000000.00000003.sdmp, WirelessMediaMain.exe, 00000002.00000002.4131454423.00000000013F4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe, 00000002.00000000.1678608052.00000000013F4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe.0.dr
Source: Binary string: InstallUtilLib.pdb source: WirelessMedia.exe, 00000000.00000002.1679451694.000000000094D000.00000040.00000001.01000000.00000003.sdmp, WirelessMedia.exe, 00000000.00000002.1679451694.0000000000A8D000.00000040.00000001.01000000.00000003.sdmp, WirelessMediaMain.exe, 00000002.00000000.1678756490.00000000017F4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe, 00000002.00000002.4131800205.00000000016B4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe.0.dr
Source: Binary string: F:\gx\VS\out\binaries\x86ret\bin\i386\DPCA.pdb source: WirelessMedia.exe, 00000000.00000002.1679451694.0000000000A8D000.00000040.00000001.01000000.00000003.sdmp, WirelessMediaMain.exe, 00000002.00000000.1678756490.00000000017F4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe.0.dr
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeFile opened: z:Jump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeFile opened: y:Jump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeFile opened: x:Jump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeFile opened: w:Jump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeFile opened: v:Jump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeFile opened: u:Jump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeFile opened: t:Jump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeFile opened: s:Jump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeFile opened: r:Jump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeFile opened: q:Jump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeFile opened: p:Jump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeFile opened: o:Jump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeFile opened: n:Jump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeFile opened: m:Jump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeFile opened: l:Jump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeFile opened: k:Jump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeFile opened: j:Jump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeFile opened: i:Jump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeFile opened: h:Jump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeFile opened: g:Jump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeFile opened: f:Jump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeFile opened: e:Jump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeFile opened: c:Jump to behavior
Source: unknownDNS traffic detected: query: 171.39.242.20.in-addr.arpa replaycode: Name error (3)
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa
Source: WirelessMediaMain.exe.0.drString found in binary or memory: http://192.168.43.1:8000
Source: WirelessMedia.exe, 00000000.00000002.1679451694.000000000003A000.00000040.00000001.01000000.00000003.sdmp, WirelessMediaMain.exe, 00000002.00000002.4131454423.00000000013F4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe, 00000002.00000000.1678608052.00000000013F4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe.0.drString found in binary or memory: http://192.168.43.1http://192.168.43.1:8000OKStarter-programDownload:ButtonSensor-Tastersprogramme
Source: WirelessMedia.exe, WirelessMediaMain.exe.0.dr, WirelessMediaAutoServiceC3.exe.0.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: WirelessMedia.exe, WirelessMediaMain.exe.0.dr, WirelessMediaAutoServiceC3.exe.0.drString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: WirelessMedia.exe, WirelessMediaMain.exe.0.dr, WirelessMediaAutoServiceC3.exe.0.drString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: WirelessMedia.exe, WirelessMediaMain.exe.0.dr, WirelessMediaAutoServiceC3.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: WirelessMedia.exe, WirelessMediaMain.exe.0.dr, WirelessMediaAutoServiceC3.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: WirelessMedia.exe, WirelessMediaMain.exe.0.dr, WirelessMediaAutoServiceC3.exe.0.drString found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: WirelessMedia.exe, 00000000.00000002.1679451694.000000000094D000.00000040.00000001.01000000.00000003.sdmp, WirelessMediaMain.exe, 00000002.00000002.4131800205.00000000016B4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe.0.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: WirelessMedia.exe, 00000000.00000002.1679451694.000000000003A000.00000040.00000001.01000000.00000003.sdmp, WirelessMediaMain.exe, 00000002.00000000.1678687371.00000000014F0000.00000008.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe, 00000002.00000002.4131560231.00000000014F3000.00000008.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe.0.drString found in binary or memory: http://lame.sf.net
Source: WirelessMedia.exe, 00000000.00000002.1679451694.000000000003A000.00000040.00000001.01000000.00000003.sdmp, WirelessMediaMain.exe, 00000002.00000000.1678687371.00000000014F0000.00000008.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe, 00000002.00000002.4131560231.00000000014F3000.00000008.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe.0.drString found in binary or memory: http://lame.sf.net32bits64bitsBluesClassic
Source: WirelessMedia.exe, WirelessMediaMain.exe.0.dr, WirelessMediaAutoServiceC3.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: WirelessMedia.exe, WirelessMediaMain.exe.0.dr, WirelessMediaAutoServiceC3.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: WirelessMedia.exe, WirelessMediaMain.exe.0.dr, WirelessMediaAutoServiceC3.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: WirelessMedia.exe, WirelessMediaMain.exe.0.dr, WirelessMediaAutoServiceC3.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: WirelessMedia.exe, WirelessMediaMain.exe.0.dr, WirelessMediaAutoServiceC3.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: WirelessMedia.exe, 00000000.00000002.1679451694.000000000094D000.00000040.00000001.01000000.00000003.sdmp, WirelessMediaMain.exe, 00000002.00000002.4131800205.00000000016B4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe.0.drString found in binary or memory: http://ocsp.thawte.com0
Source: WirelessMedia.exe, WirelessMediaMain.exe.0.dr, WirelessMediaAutoServiceC3.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: WirelessMedia.exe, WirelessMediaMain.exe.0.dr, WirelessMediaAutoServiceC3.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: WirelessMedia.exe, 00000000.00000002.1679451694.000000000094D000.00000040.00000001.01000000.00000003.sdmp, WirelessMedia.exe, 00000000.00000002.1679451694.0000000000A8D000.00000040.00000001.01000000.00000003.sdmp, WirelessMediaMain.exe, 00000002.00000000.1678756490.00000000017F4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe, 00000002.00000002.4131800205.00000000016B4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe.0.drString found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: WirelessMedia.exe, 00000000.00000002.1679451694.000000000094D000.00000040.00000001.01000000.00000003.sdmp, WirelessMedia.exe, 00000000.00000002.1679451694.0000000000A8D000.00000040.00000001.01000000.00000003.sdmp, WirelessMediaMain.exe, 00000002.00000000.1678756490.00000000017F4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe, 00000002.00000002.4131800205.00000000016B4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe.0.drString found in binary or memory: http://s.symcd.com0_
Source: WirelessMedia.exe, WirelessMediaMain.exe.0.dr, WirelessMediaAutoServiceC3.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: WirelessMedia.exe, WirelessMediaMain.exe.0.dr, WirelessMediaAutoServiceC3.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: WirelessMedia.exe, WirelessMediaMain.exe.0.dr, WirelessMediaAutoServiceC3.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: WirelessMedia.exe, WirelessMediaMain.exe.0.dr, WirelessMediaAutoServiceC3.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: WirelessMedia.exe, 00000000.00000002.1679451694.000000000094D000.00000040.00000001.01000000.00000003.sdmp, WirelessMedia.exe, 00000000.00000002.1679451694.0000000000A8D000.00000040.00000001.01000000.00000003.sdmp, WirelessMediaMain.exe, 00000002.00000000.1678756490.00000000017F4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe, 00000002.00000002.4131800205.00000000016B4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe.0.drString found in binary or memory: http://sw.symcb.com/sw.crl0
Source: WirelessMedia.exe, 00000000.00000002.1679451694.000000000094D000.00000040.00000001.01000000.00000003.sdmp, WirelessMedia.exe, 00000000.00000002.1679451694.0000000000A8D000.00000040.00000001.01000000.00000003.sdmp, WirelessMediaMain.exe, 00000002.00000000.1678756490.00000000017F4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe, 00000002.00000002.4131800205.00000000016B4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe.0.drString found in binary or memory: http://sw.symcd.com0
Source: WirelessMedia.exe, 00000000.00000002.1679451694.000000000094D000.00000040.00000001.01000000.00000003.sdmp, WirelessMedia.exe, 00000000.00000002.1679451694.0000000000A8D000.00000040.00000001.01000000.00000003.sdmp, WirelessMediaMain.exe, 00000002.00000000.1678756490.00000000017F4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe, 00000002.00000002.4131800205.00000000016B4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe.0.drString found in binary or memory: http://sw1.symcb.com/sw.crt0
Source: WirelessMedia.exe, 00000000.00000002.1679451694.000000000094D000.00000040.00000001.01000000.00000003.sdmp, WirelessMediaMain.exe, 00000002.00000002.4131800205.00000000016B4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: WirelessMedia.exe, 00000000.00000002.1679451694.000000000094D000.00000040.00000001.01000000.00000003.sdmp, WirelessMediaMain.exe, 00000002.00000002.4131800205.00000000016B4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: WirelessMedia.exe, 00000000.00000002.1679451694.000000000094D000.00000040.00000001.01000000.00000003.sdmp, WirelessMediaMain.exe, 00000002.00000002.4131800205.00000000016B4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: WirelessMedia.exe, 00000000.00000002.1679451694.000000000003A000.00000040.00000001.01000000.00000003.sdmp, WirelessMediaMain.exe, 00000002.00000000.1678756490.00000000015D2000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe.0.drString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: WirelessMediaMain.exe.0.drString found in binary or memory: http://www.videolan.org/x264.html
Source: WirelessMedia.exe, 00000000.00000002.1679451694.000000000094D000.00000040.00000001.01000000.00000003.sdmp, WirelessMedia.exe, 00000000.00000002.1679451694.0000000000A8D000.00000040.00000001.01000000.00000003.sdmp, WirelessMediaMain.exe, 00000002.00000000.1678756490.00000000017F4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe, 00000002.00000002.4131800205.00000000016B4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe.0.drString found in binary or memory: https://d.symcb.com/cps0%
Source: WirelessMedia.exe, 00000000.00000002.1679451694.000000000094D000.00000040.00000001.01000000.00000003.sdmp, WirelessMedia.exe, 00000000.00000002.1679451694.0000000000A8D000.00000040.00000001.01000000.00000003.sdmp, WirelessMediaMain.exe, 00000002.00000000.1678756490.00000000017F4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe, 00000002.00000002.4131800205.00000000016B4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe.0.drString found in binary or memory: https://d.symcb.com/rpa0
Source: WirelessMedia.exe, 00000000.00000002.1679451694.000000000094D000.00000040.00000001.01000000.00000003.sdmp, WirelessMedia.exe, 00000000.00000002.1679451694.0000000000A8D000.00000040.00000001.01000000.00000003.sdmp, WirelessMediaMain.exe, 00000002.00000000.1678756490.00000000017F4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe, 00000002.00000002.4131800205.00000000016B4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe.0.drString found in binary or memory: https://d.symcb.com/rpa0)
Source: WirelessMedia.exe, WirelessMediaMain.exe.0.dr, WirelessMediaAutoServiceC3.exe.0.drString found in binary or memory: https://www.globalsign.com/repository/0
Source: WirelessMedia.exe, 00000000.00000002.1679451694.000000000003A000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: RegisterRawInputDevicesmemstr_254dde65-9
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeProcess Stats: CPU usage > 49%
Source: WirelessMediaMain.exe.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: WirelessMediaMain.exe.0.drStatic PE information: Number of sections : 17 > 10
Source: WirelessMedia.exe, 00000000.00000002.1679451694.000000000003A000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWirelessMediaAutoServiceC3.exe< vs WirelessMedia.exe
Source: WirelessMedia.exe, 00000000.00000002.1679451694.000000000003A000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWirelessMediaMain.exe< vs WirelessMedia.exe
Source: WirelessMedia.exe, 00000000.00000002.1679451694.000000000094D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameInstallUtilLib.dllT vs WirelessMedia.exe
Source: WirelessMedia.exe, 00000000.00000002.1679451694.000000000094D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameDPCA.DLLT vs WirelessMedia.exe
Source: WirelessMedia.exe, 00000000.00000002.1679451694.0000000000A8D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameInstallUtilLib.dllT vs WirelessMedia.exe
Source: WirelessMedia.exe, 00000000.00000002.1679451694.0000000000A8D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameDPCA.DLLT vs WirelessMedia.exe
Source: WirelessMedia.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: clean5.winEXE@7/3@1/1
Source: C:\Users\user\Desktop\WirelessMedia.exeFile created: C:\Users\user\AppData\Local\WirelessMediaJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeMutant created: \Sessions\1\BaseNamedObjects\com.WirelessMedia.mainApplicationC3
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeMutant created: \Sessions\1\BaseNamedObjects\NULL
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exeMutant created: \Sessions\1\BaseNamedObjects\com.WirelessMedia.autoserviceC3
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exeMutant created: \Sessions\1\BaseNamedObjects\com.WirelessMedia_Launcher.runningC3
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exeSystem information queried: HandleInformationJump to behavior
Source: C:\Users\user\Desktop\WirelessMedia.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\WirelessMedia.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\WirelessMedia.exe "C:\Users\user\Desktop\WirelessMedia.exe"
Source: C:\Users\user\Desktop\WirelessMedia.exeProcess created: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exe "C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exe"
Source: C:\Users\user\Desktop\WirelessMedia.exeProcess created: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exe "C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exe"
Source: unknownProcess created: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exe "C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exe"
Source: unknownProcess created: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exe "C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exe"
Source: C:\Users\user\Desktop\WirelessMedia.exeProcess created: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exe "C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exe" Jump to behavior
Source: C:\Users\user\Desktop\WirelessMedia.exeProcess created: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exe "C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exe" Jump to behavior
Source: C:\Users\user\Desktop\WirelessMedia.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\WirelessMedia.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\WirelessMedia.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\WirelessMedia.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\WirelessMedia.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\WirelessMedia.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\WirelessMedia.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\WirelessMedia.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\user\Desktop\WirelessMedia.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\Desktop\WirelessMedia.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\WirelessMedia.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\WirelessMedia.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\Desktop\WirelessMedia.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\WirelessMedia.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\WirelessMedia.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\WirelessMedia.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\WirelessMedia.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\WirelessMedia.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\WirelessMedia.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\WirelessMedia.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\WirelessMedia.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\WirelessMedia.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\WirelessMedia.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\WirelessMedia.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\WirelessMedia.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\WirelessMedia.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Users\user\Desktop\WirelessMedia.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\WirelessMedia.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: oledlg.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: avrt.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: hid.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: wlanapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: devobj.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Users\user\Desktop\WirelessMedia.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: StartLinkC3.lnk.0.drLNK file: ..\..\..\Desktop\WirelessMedia.exe
Source: WirelessMedia.exeStatic PE information: certificate valid
Source: WirelessMedia.exeStatic file information: File size 6594024 > 1048576
Source: WirelessMedia.exeStatic PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x63c400
Source: WirelessMedia.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: F:\gs1\VS\out\binaries\x86ret\bin\i386\DPCA.pdb source: WirelessMedia.exe, 00000000.00000002.1679451694.000000000094D000.00000040.00000001.01000000.00000003.sdmp, WirelessMediaMain.exe, 00000002.00000002.4131800205.00000000016B4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe.0.dr
Source: Binary string: F:\gs1\VS\out\binaries\x86ret\bin\i386\DPCA.pdb? source: WirelessMedia.exe, 00000000.00000002.1679451694.000000000094D000.00000040.00000001.01000000.00000003.sdmp, WirelessMediaMain.exe, 00000002.00000002.4131800205.00000000016B4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe.0.dr
Source: Binary string: G:\git_code\Custom_new_ui\guonei\windows_new_ui\Release\WirelessMediaAutoServiceC3.pdb source: WirelessMedia.exe, 00000000.00000002.1679451694.000000000003A000.00000040.00000001.01000000.00000003.sdmp, WirelessMediaAutoServiceC3.exe, 00000001.00000002.4131018854.00000000008B6000.00000002.00000001.01000000.00000006.sdmp, WirelessMediaAutoServiceC3.exe, 00000001.00000000.1674756084.00000000008B6000.00000002.00000001.01000000.00000006.sdmp, WirelessMediaAutoServiceC3.exe, 00000003.00000002.1793005366.00000000008B6000.00000002.00000001.01000000.00000006.sdmp, WirelessMediaAutoServiceC3.exe, 00000003.00000000.1792521725.00000000008B6000.00000002.00000001.01000000.00000006.sdmp, WirelessMediaAutoServiceC3.exe, 00000005.00000002.1873697861.00000000008B6000.00000002.00000001.01000000.00000006.sdmp, WirelessMediaAutoServiceC3.exe, 00000005.00000000.1873221967.00000000008B6000.00000002.00000001.01000000.00000006.sdmp, WirelessMediaAutoServiceC3.exe.0.dr
Source: Binary string: G:\git_code\Custom_new_ui\guonei\windows_new_ui\Release\WirelessMediaMain.pdbr source: WirelessMedia.exe, 00000000.00000002.1679451694.000000000003A000.00000040.00000001.01000000.00000003.sdmp, WirelessMediaMain.exe, 00000002.00000002.4131454423.00000000013F4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe, 00000002.00000000.1678608052.00000000013F4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe.0.dr
Source: Binary string: F:\gx\VS\out\binaries\x86ret\bin\i386\DPCA.pdb= source: WirelessMedia.exe, 00000000.00000002.1679451694.0000000000A8D000.00000040.00000001.01000000.00000003.sdmp, WirelessMediaMain.exe, 00000002.00000000.1678756490.00000000017F4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe.0.dr
Source: Binary string: G:\git_code\Custom_new_ui\guonei\windows_new_ui\Release\WirelessMediaMain.pdb source: WirelessMedia.exe, 00000000.00000002.1679451694.000000000003A000.00000040.00000001.01000000.00000003.sdmp, WirelessMediaMain.exe, 00000002.00000002.4131454423.00000000013F4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe, 00000002.00000000.1678608052.00000000013F4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe.0.dr
Source: Binary string: InstallUtilLib.pdb source: WirelessMedia.exe, 00000000.00000002.1679451694.000000000094D000.00000040.00000001.01000000.00000003.sdmp, WirelessMedia.exe, 00000000.00000002.1679451694.0000000000A8D000.00000040.00000001.01000000.00000003.sdmp, WirelessMediaMain.exe, 00000002.00000000.1678756490.00000000017F4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe, 00000002.00000002.4131800205.00000000016B4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe.0.dr
Source: Binary string: F:\gx\VS\out\binaries\x86ret\bin\i386\DPCA.pdb source: WirelessMedia.exe, 00000000.00000002.1679451694.0000000000A8D000.00000040.00000001.01000000.00000003.sdmp, WirelessMediaMain.exe, 00000002.00000000.1678756490.00000000017F4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe.0.dr
Source: WirelessMediaMain.exe.0.drStatic PE information: section name: .text.un
Source: WirelessMediaMain.exe.0.drStatic PE information: section name: .rodata
Source: WirelessMediaMain.exe.0.drStatic PE information: section name: .eh_fram
Source: WirelessMediaMain.exe.0.drStatic PE information: section name: .drectve
Source: WirelessMediaMain.exe.0.drStatic PE information: section name: _RDATA
Source: WirelessMediaMain.exe.0.drStatic PE information: section name: .debug_l
Source: WirelessMediaMain.exe.0.drStatic PE information: section name: .debug_i
Source: WirelessMediaMain.exe.0.drStatic PE information: section name: .debug_a
Source: WirelessMediaMain.exe.0.drStatic PE information: section name: .debug_a
Source: WirelessMediaMain.exe.0.drStatic PE information: section name: .debug_f
Source: WirelessMediaMain.exe.0.drStatic PE information: section name: .debug_l
Source: WirelessMediaMain.exe.0.drStatic PE information: section name: .debug_r
Source: WirelessMediaAutoServiceC3.exe.0.drStatic PE information: section name: .text entropy: 6.9992849095309815
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: C:\Users\user\Desktop\WirelessMedia.exeFile created: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeJump to dropped file
Source: C:\Users\user\Desktop\WirelessMedia.exeFile created: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exeJump to dropped file
Source: C:\Users\user\Desktop\WirelessMedia.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Auto_Agent_WirelessMediaC3Jump to behavior
Source: C:\Users\user\Desktop\WirelessMedia.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Auto_Agent_WirelessMediaC3Jump to behavior
Source: C:\Users\user\Desktop\WirelessMedia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeWindow / User API: threadDelayed 1459Jump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeWindow / User API: threadDelayed 1472Jump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeWindow / User API: threadDelayed 1424Jump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeWindow / User API: threadDelayed 1425Jump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeWindow / User API: threadDelayed 1492Jump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeWindow / User API: threadDelayed 1474Jump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeThread sleep count: Count: 1459 delay: -10Jump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeThread sleep count: Count: 1472 delay: -10Jump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeThread sleep count: Count: 1424 delay: -10Jump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeThread sleep count: Count: 1425 delay: -10Jump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeThread sleep count: Count: 1492 delay: -10Jump to behavior
Source: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exeThread sleep count: Count: 1474 delay: -10Jump to behavior
Source: WirelessMediaMain.exe, 00000002.00000002.4132468547.00000000020E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\WirelessMedia.exeProcess created: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exe "C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exe" Jump to behavior
Source: C:\Users\user\Desktop\WirelessMedia.exeProcess created: C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exe "C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exe" Jump to behavior
Source: C:\Users\user\Desktop\WirelessMedia.exeQueries volume information: C:\ VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Replication Through Removable Media		Windows Management Instrumentation1
Registry Run Keys / Startup Folder		11
Process Injection		1
Masquerading		11
Input Capture		1
Security Software Discovery		Remote Services11
Input Capture		1
Non-Application Layer Protocol		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
Registry Run Keys / Startup Folder		1
Virtualization/Sandbox Evasion		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop Protocol1
Archive Collected Data		1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		11
Process Injection		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Obfuscated Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
Software Packing		LSA Secrets11
Peripheral Device Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials1
File and Directory Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync12
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1544380 Sample: WirelessMedia.exe Startdate: 29/10/2024 Architecture: WINDOWS Score: 5 22 171.39.242.20.in-addr.arpa 2->22 6 WirelessMedia.exe 1 7 2->6         started        9 WirelessMediaAutoServiceC3.exe 2->9         started        11 WirelessMediaAutoServiceC3.exe 2->11         started        process3 file4 18 C:\Users\user\...\WirelessMediaMain.exe, PE32 6->18 dropped 20 C:\Users\...\WirelessMediaAutoServiceC3.exe, PE32 6->20 dropped 13 WirelessMediaMain.exe 6->13         started        16 WirelessMediaAutoServiceC3.exe 6->16         started        process5 dnsIp6 24 239.1.1.1 unknown Reserved 13->24

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exe0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://crl.thawte.com/ThawteTimestampingCA.crl00%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
171.39.242.20.in-addr.arpa
unknown
unknownfalse
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://192.168.43.1:8000WirelessMediaMain.exe.0.drfalse
      		unknown
      http://lame.sf.netWirelessMedia.exe, 00000000.00000002.1679451694.000000000003A000.00000040.00000001.01000000.00000003.sdmp, WirelessMediaMain.exe, 00000002.00000000.1678687371.00000000014F0000.00000008.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe, 00000002.00000002.4131560231.00000000014F3000.00000008.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe.0.drfalse
        		unknown
        http://crl.thawte.com/ThawteTimestampingCA.crl0WirelessMedia.exe, 00000000.00000002.1679451694.000000000094D000.00000040.00000001.01000000.00000003.sdmp, WirelessMediaMain.exe, 00000002.00000002.4131800205.00000000016B4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe.0.drfalse
        • URL Reputation: safe
        		unknown
        http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUWirelessMedia.exe, 00000000.00000002.1679451694.000000000003A000.00000040.00000001.01000000.00000003.sdmp, WirelessMediaMain.exe, 00000002.00000000.1678756490.00000000015D2000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe.0.drfalse
          		unknown
          http://ocsp.thawte.com0WirelessMedia.exe, 00000000.00000002.1679451694.000000000094D000.00000040.00000001.01000000.00000003.sdmp, WirelessMediaMain.exe, 00000002.00000002.4131800205.00000000016B4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe.0.drfalse
          • URL Reputation: safe
          		unknown
          http://www.videolan.org/x264.htmlWirelessMediaMain.exe.0.drfalse
            		unknown
            http://192.168.43.1http://192.168.43.1:8000OKStarter-programDownload:ButtonSensor-TastersprogrammeWirelessMedia.exe, 00000000.00000002.1679451694.000000000003A000.00000040.00000001.01000000.00000003.sdmp, WirelessMediaMain.exe, 00000002.00000002.4131454423.00000000013F4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe, 00000002.00000000.1678608052.00000000013F4000.00000002.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe.0.drfalse
              		unknown
              http://lame.sf.net32bits64bitsBluesClassicWirelessMedia.exe, 00000000.00000002.1679451694.000000000003A000.00000040.00000001.01000000.00000003.sdmp, WirelessMediaMain.exe, 00000002.00000000.1678687371.00000000014F0000.00000008.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe, 00000002.00000002.4131560231.00000000014F3000.00000008.00000001.01000000.00000007.sdmp, WirelessMediaMain.exe.0.drfalse
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                239.1.1.1
                		unknownReserved
                		unknownunknownfalse

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1544380
                Start date and time:2024-10-29 10:51:33 +01:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 7m 42s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:9
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:WirelessMedia.exe
                Detection:CLEAN
                Classification:clean5.winEXE@7/3@1/1
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Override analysis time to 240000 for current running targets taking high CPU consumption

                Warnings

                • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • VT rate limit hit for: WirelessMedia.exe

                Simulations

                Behavior and APIs

                TimeTypeDescription
                05:53:00API Interceptor901345x Sleep call for process: WirelessMediaMain.exe modified
                09:52:28AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Auto_Agent_WirelessMediaC3 C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exe
                09:52:36AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Auto_Agent_WirelessMediaC3 C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exe

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\WirelessMedia\StartLinkC3.lnk

                Download File
                Process:C:\Users\user\Desktop\WirelessMedia.exe
                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Oct 4 11:02:29 2023, mtime=Tue Oct 29 08:52:24 2024, atime=Tue Oct 29 08:52:23 2024, length=6594024, window=hide
                Category:dropped
                Size (bytes):596
                Entropy (8bit):5.151991171195955
                Encrypted:false
                SSDEEP:12:8X28zYNbR1c+IdSPMUIcOjAnnpkdIwtzrBmV:8GTn1QLAyAnn8zrBm
                MD5:54A58A6E2DD0E6A3E7D39FE1AB8488AF
                SHA1:BC1931844533ED33B566431C8876E2E64890E597
                SHA-256:0EDBF9B7E2D0B26654C3B3D366F0D2F25BB615D5D162CCA7201D42D4A0C19EDB
                SHA-512:3F01D6EA27996C3A30370F4C5D329E413221500C0E548B19C0F33F8E3448242F6612903AE9CECD142527B4CDB14C401001B1AD67634523636FA290A16E3EBC37
                Malicious:false
                Reputation:low
                Preview:L..................F.... ...W..........A.)...{&A.)...d..........................P.O. .:i.....+00.:...:..,.LB.)...A&...&......-/.v.....n.........A.)....p.2..d.]Y.N .WIRELE~1.EXE..T......DWO`]Y.N..............................W.i.r.e.l.e.s.s.M.e.d.i.a...e.x.e.......W...............-.......V..............m.....C:\Users\user\Desktop\WirelessMedia.exe..".....\.....\.....\.D.e.s.k.t.o.p.\.W.i.r.e.l.e.s.s.M.e.d.i.a...e.x.e.`.......X.......818225...........hT..CrF.f4... ..}T..b...,.......hT..CrF.f4... ..}T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exe

                Download File
                Process:C:\Users\user\Desktop\WirelessMedia.exe
                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):1642984
                Entropy (8bit):6.93719358199322
                Encrypted:false
                SSDEEP:49152:9yOilCk1RBJvQ/qpyr0kPBbh4dPo1b+1mA1EtxJa:9yO0CkPDvQ/qpyr0kPhh4a1b
                MD5:155592EEF1B36C627ED48E601B9D5AF7
                SHA1:9B8C108AFE73EAED94A058BEFAC1D685695377F5
                SHA-256:2DAE238DA117647815D4E9BA339A936125484B21DE36B9C2E5D44E63F125AB98
                SHA-512:FB68DCFBF70337810A0B0BAA8D4B701B7F751A5F978F5DAABA9D67044FBBFB7124F0AD06F26846C82508360D99A17A5582CC493B7AF9D69F7596B6C4C5C790A4
                Malicious:false
                Reputation:low
                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........gj....X...X...X!..Xy..X...X...X.W.X...X...X...X.T.X...X.T.X/..X.T.X...XI..X...XI..X...X...XE..X!..X...X.T.X...X...X...X!..X...XRich...X........................PE..L....O.c.................P...........4.......`....@..........................@............@..........................................P..x)...............9.......... c..8...............................@............`...............................text....O.......P.................. ..`.rdata.......`.......T..............@..@.data....l.......&..................@....rsrc...x)...P...*..................@..@.reloc...............$..............@..B........................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exe

                Download File
                Process:C:\Users\user\Desktop\WirelessMedia.exe
                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):11958248
                Entropy (8bit):7.161381955785398
                Encrypted:false
                SSDEEP:196608:hqaB5jOFP65t7guKGfHHW42+DcWgBq2eOSKx7a75FLOyomFHKnP:saBEITKg6WgcJ87w5F
                MD5:732534B20FF487EC1AE4E4B39C8E06A4
                SHA1:4DA9982F467F30F41429136DBA07AC38AC835C5E
                SHA-256:68417DFFB4CD126C41D2084730DC22336F515945D6FD8C60320CB2314666B810
                SHA-512:DE9FD02C26D7F62A85EB71993BD6A662ED7F4C1835C16C4312498B6C95C22C333D5880508DD79E47D0F7504BD19E2EB9D7237A1EBEF0146734D739B33E2FDEF3
                Malicious:false
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 0%
                Reputation:low
                Preview:MZ......................@...................................P...........!..L.!This program cannot be run in DOS mode....$.......fG.."&."&."&.../.c&.v...1&..wP.M&.... &......$.....#&...../&..... &......&."&..%.....$&./t/.k&./t..v&./t.."'.dw/.f'.....!&."&.t$...+..&./t..#&."&Y.#&.....#&.Rich"&.................PE..L....O.c..................X...i......)=......@X...@..........................p............@..................................g.X.... v...H..........>...9.......^..@OX.8.............................e.@............@X.<............................text.....W.......W................. ..`.text.un......X.......X............. ..`.rodata...... X.......X............. ..`.rdata..f....@X.......X.............@..@.data.........h.......g.............@....eh_fram......t.......h.............@..@.drectve.....`u.......i.............@..._RDATA.......pu.......i.............@..@.debug_l......u.......i.............@..B.debug_i8<....u..>....i.............@..B.debug_a......u.

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                Entropy (8bit):7.891880593118451
                TrID:
                • Win32 Executable (generic) a (10002005/4) 99.39%
                • UPX compressed Win32 Executable (30571/9) 0.30%
                • Win32 EXE Yoda's Crypter (26571/9) 0.26%
                • Generic Win/DOS Executable (2004/3) 0.02%
                • DOS Executable Generic (2002/1) 0.02%
                File name:WirelessMedia.exe
                File size:6'594'024 bytes
                MD5:014a54772378c797b10fc7f764aeb070
                SHA1:30892aa18b807e9fb9de4629f9c00a495f7152e7
                SHA256:fa24b05dae7d2d915e3a71106509df6fe3892b35337fcb81e6bb1d99bb0b5dfe
                SHA512:9c61d07788bd9a2b8602782f4bf49d7527a1c1f4e1698ea2796e6164536404510f2d58c7bab6c6490b5429de789cc641ac4aa0e30ade63052387a75ab32a5c00
                SSDEEP:196608:dVL1YbjAJ5YYH6htHV2pkJlP1Akrcgu2qlO:dVLy4J59IOkJvVrc5E
                TLSH:9F6633442416E8B1F6822932A13BF9F161137C134F8A38729DD7DEE77976BC2D99120B
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............by..by..by..0...by..0..cby..0...by.8....by.8....by.8....by..bx..by.P....by..0...by..b...by.P....by.Rich.by................

                File Icon

                Icon Hash:51ac1c32b3e71a45

                Static PE Info

                General

                Entrypoint:0x112a020
                Entrypoint Section:UPX1
                Digitally signed:true
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Time Stamp:0x63185226 [Wed Sep 7 08:11:18 2022 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:6
                OS Version Minor:0
                File Version Major:6
                File Version Minor:0
                Subsystem Version Major:6
                Subsystem Version Minor:0
                Import Hash:94c825b2ef0cd473caa10df89c5f0dd4

                Authenticode Signature

                Signature Valid:true
                Signature Issuer:CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
                Signature Validation Error:The operation completed successfully
                Error Number:0
                Not Before, Not After
                • 23/08/2022 05:10:58 24/08/2023 05:10:58
                Subject Chain
                • CN="Wireless Media Tech Co., Limited", O="Wireless Media Tech Co., Limited", STREET=\u5357\u5c71\u533a\u62db\u5546\u8857\u9053\u62db\u5546\u8857\u9053\u6cbf\u5c71\u8def45\u53f7\u4f73\u5229\u6cf0\u5927\u53a66C, L=\u6df1\u5733\u5e02, S=\u5e7f\u4e1c\u7701, C=CN, OID.1.3.6.1.4.1.311.60.2.1.1=SHENZHEN, OID.1.3.6.1.4.1.311.60.2.1.2=GUANGDONG, OID.1.3.6.1.4.1.311.60.2.1.3=CN, SERIALNUMBER=91440300MA5EJ7APXW, OID.2.5.4.15=Private Organization
                Version:3
                Thumbprint MD5:440EA16CB44EF7F0321868A315608296
                Thumbprint SHA-1:05EF4338A1CF0E38F485B994EB2B33E652F8167F
                Thumbprint SHA-256:3976C2CC13DCDFD1594C930355CC4F1C4F12A976C9C3BE9E117AE03B7109BCE5
                Serial:326A9E19304E7EC735AA7319

                Entrypoint Preview

                Instruction
                pushad
                mov esi, 00AEE000h
                lea edi, dword ptr [esi-006ED000h]
                push edi
                or ebp, FFFFFFFFh
                jmp 00007F8A94D36162h
                nop
                nop
                nop
                nop
                nop
                nop
                mov al, byte ptr [esi]
                inc esi
                mov byte ptr [edi], al
                inc edi
                add ebx, ebx
                jne 00007F8A94D36159h
                mov ebx, dword ptr [esi]
                sub esi, FFFFFFFCh
                adc ebx, ebx
                jc 00007F8A94D3613Fh
                mov eax, 00000001h
                add ebx, ebx
                jne 00007F8A94D36159h
                mov ebx, dword ptr [esi]
                sub esi, FFFFFFFCh
                adc ebx, ebx
                adc eax, eax
                add ebx, ebx
                jnc 00007F8A94D3615Dh
                jne 00007F8A94D3617Ah
                mov ebx, dword ptr [esi]
                sub esi, FFFFFFFCh
                adc ebx, ebx
                jc 00007F8A94D36171h
                dec eax
                add ebx, ebx
                jne 00007F8A94D36159h
                mov ebx, dword ptr [esi]
                sub esi, FFFFFFFCh
                adc ebx, ebx
                adc eax, eax
                jmp 00007F8A94D36126h
                add ebx, ebx
                jne 00007F8A94D36159h
                mov ebx, dword ptr [esi]
                sub esi, FFFFFFFCh
                adc ebx, ebx
                adc ecx, ecx
                jmp 00007F8A94D361A4h
                xor ecx, ecx
                sub eax, 03h
                jc 00007F8A94D36163h
                shl eax, 08h
                mov al, byte ptr [esi]
                inc esi
                xor eax, FFFFFFFFh
                je 00007F8A94D361C7h
                sar eax, 1
                mov ebp, eax
                jmp 00007F8A94D3615Dh
                add ebx, ebx
                jne 00007F8A94D36159h
                mov ebx, dword ptr [esi]
                sub esi, FFFFFFFCh
                adc ebx, ebx
                jc 00007F8A94D3611Eh
                inc ecx
                add ebx, ebx
                jne 00007F8A94D36159h
                mov ebx, dword ptr [esi]
                sub esi, FFFFFFFCh
                adc ebx, ebx
                jc 00007F8A94D36110h
                add ebx, ebx
                jne 00007F8A94D36159h
                mov ebx, dword ptr [esi]
                sub esi, FFFFFFFCh
                adc ebx, ebx
                adc ecx, ecx
                add ebx, ebx
                jnc 00007F8A94D36141h
                jne 00007F8A94D3615Bh
                mov ebx, dword ptr [esi]
                sub esi, FFFFFFFCh
                adc ebx, ebx
                jnc 00007F8A94D36136h
                add ecx, 02h
                cmp ebp, FFFFFB00h
                adc ecx, 02h
                lea edx, dword ptr [eax+eax]

                Rich Headers

                Programming Language:
                • [ASM] VS2013 build 21005
                • [ C ] VS2013 build 21005
                • [C++] VS2013 build 21005
                • [RES] VS2013 build 21005
                • [LNK] VS2013 UPD5 build 40629

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0xd349d00x1bc.rsrc
                IMAGE_DIRECTORY_ENTRY_RESOURCE0xd2b0000x99d0.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x6464000x39e8UPX0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0xd34b8c0x10.rsrc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xd2a2040x48UPX1
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                UPX00x10000x6ed0000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                UPX10x6ee0000x63d0000x63c400e7188e3a5d34bea773d37cad34e35bf0unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .rsrc0xd2b0000xa0000x9c005e3a1cf7ed090c096c81bc2f5ef32911False0.3697666266025641data4.711289739895565IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                Resources

                NameRVASizeTypeLanguageCountryZLIB Complexity
                RT_ICON0xd2b50c0xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2688ChineseChina0.26918976545842216
                RT_ICON0xd2c3b80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152ChineseChina0.37274368231046934
                RT_ICON0xd2cc640x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 672ChineseChina0.45276497695852536
                RT_ICON0xd2d3300x568Device independent bitmap graphic, 16 x 32 x 8, image size 320ChineseChina0.5036127167630058
                RT_ICON0xd2d89c0x27bcPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedChineseChina0.9494691309476996
                RT_ICON0xd3005c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600ChineseChina0.08423236514522822
                RT_ICON0xd326080x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224ChineseChina0.10764540337711069
                RT_ICON0xd336b40x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400ChineseChina0.1721311475409836
                RT_ICON0xd340400x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088ChineseChina0.17641843971631205
                RT_ICON0xd1bee80xea8dataChineseChina1.001599147121535
                RT_ICON0xd1cd900x8a8dataChineseChina1.0049638989169676
                RT_ICON0xd1d6380x6c8dataChineseChina1.006336405529954
                RT_ICON0xd1dd000x568dataChineseChina1.0079479768786128
                RT_ICON0xd1e2680x27bcdataChineseChina0.9890876917027134
                RT_ICON0xd20a280x25a8dataChineseChina0.9807053941908713
                RT_ICON0xd22fd00x10a8dataChineseChina0.99906191369606
                RT_ICON0xd240780x988dataChineseChina1.0045081967213114
                RT_ICON0xd24a000x468dataChineseChina1.0097517730496455
                RT_RCDATA0x1a5100x1911e8emptyChineseChina0
                RT_RCDATA0x1ab6f80xb677e8emptyChineseChina0
                RT_GROUP_ICON0xd344ac0x84dataChineseChina0.6742424242424242
                RT_GROUP_ICON0xd24e680x84dataChineseChina1.0833333333333333
                RT_VERSION0xd345340x318dataChineseChina0.43434343434343436
                RT_MANIFEST0xd348500x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                Imports

                DLLImport
                KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
                ADVAPI32.dllRegCloseKey
                ole32.dllCoInitialize
                SHELL32.dllShellExecuteExW
                SHLWAPI.dllPathFileExistsW
                USER32.dllwsprintfW

                Possible Origin

                Language of compilation systemCountry where language is spokenMap
                ChineseChina
                EnglishUnited States

                Network Behavior

                Network Port Distribution

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Oct 29, 2024 10:52:57.366789103 CET5350804162.159.36.2192.168.2.4
                Oct 29, 2024 10:52:57.992657900 CET5401453192.168.2.41.1.1.1
                Oct 29, 2024 10:52:58.001147032 CET53540141.1.1.1192.168.2.4

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                Oct 29, 2024 10:52:57.992657900 CET192.168.2.41.1.1.10xde64Standard query (0)171.39.242.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                Oct 29, 2024 10:52:58.001147032 CET1.1.1.1192.168.2.40xde64Name error (3)171.39.242.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:05:52:24
                Start date:29/10/2024
                Path:C:\Users\user\Desktop\WirelessMedia.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\WirelessMedia.exe"
                Imagebase:0x20000
                File size:6'594'024 bytes
                MD5 hash:014A54772378C797B10FC7F764AEB070
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:low
                Has exited:true

                General

                Target ID:1
                Start time:05:52:25
                Start date:29/10/2024
                Path:C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exe"
                Imagebase:0x7a0000
                File size:1'642'984 bytes
                MD5 hash:155592EEF1B36C627ED48E601B9D5AF7
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:low
                Has exited:false

                General

                Target ID:2
                Start time:05:52:25
                Start date:29/10/2024
                Path:C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaMain.exe"
                Imagebase:0xe70000
                File size:11'958'248 bytes
                MD5 hash:732534B20FF487EC1AE4E4B39C8E06A4
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Antivirus matches:
                • Detection: 0%, ReversingLabs
                Reputation:low
                Has exited:false

                General

                Target ID:3
                Start time:05:52:36
                Start date:29/10/2024
                Path:C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exe"
                Imagebase:0x7a0000
                File size:1'642'984 bytes
                MD5 hash:155592EEF1B36C627ED48E601B9D5AF7
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:low
                Has exited:true

                General

                Target ID:5
                Start time:05:52:44
                Start date:29/10/2024
                Path:C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exe"
                Imagebase:0x7a0000
                File size:1'642'984 bytes
                MD5 hash:155592EEF1B36C627ED48E601B9D5AF7
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:low
                Has exited:true

                Disassembly

                No disassembly