Basic Information:
-------------------------------------------
Target OS: Windows
Target Arch: Intel 32bit
File Type: PE32 Executable
Lang: C++
Size: 322K
MD5SUM: 94d9e620da6bd5fe5a4d20aebb15ec6d
Test Environment:
- app.any.run
 \
  |--> Windows 7 32-bit
-------------------------------------------

Abilities:
-----------------------------------------------------------------
- Downloading malicious files
|
|--> WerFault.exe
 \
  |--> WerFault.exe -u -p 3952 -s 184
  |--> -u: Might be parameter for user specifying
  |--> -p: Might be parameter for port 3952(i3 session manager)
  |--> -s: Might be parameter for timing 184(seconds maybe.)

- Dealing with keyboard
 \
  |--> GetKeyboardType

- Debugger evasion
 \
  |--> IsDebuggerPresent
  |--> GetTickCount

- Manipulating Windows Registry
 \
  |--> RegOpenKeyExA
  |--> RegQueryValueExA
  |--> RtlUnwind
  |--> RegCloseKey
  |--> RegCreateKeyExA
  |--> RegSetValueExA

- Manipulating files
 \
  |--> CreateFileA
  |--> ReadFile
  |--> WriteFile
  |--> DeleteFileA
  |--> FindFirstFileA
  |--> FindNextFileA
  |--> SetFilePointer
  |--> GetSystemTimeAsFileTime
  |--> GetFileType
  |--> GetModuleFileNameA
  |--> FileTimeToLocalFileTime
  |--> FileTimeToSystemTime
  |--> FlushFileBuffers
  |--> SetEndOfFile
  |--> GetFileAttributesA

- Tracking processes
 \
  |--> VirtualAlloc
  |--> HeapAlloc
  |--> VirtualProtect
  |--> OpenProcess
  |--> GetProcAddress
  |--> ExitProcess
  |--> TerminateProcess
  |--> CreateProcessA
  |--> GetProcessHeap
  |--> ReadProcessMemory
-----------------------------------------------------------------

Connections:
---------------------------------------------------
Domains:
- csdownload.me 
 \
  |--> host10.csdownload.me
  |--> host11.csdownload.me
  |--> host12.csdownload.me
  |--> wefixyou.csdownload.me
  |--> lcrs.csdownload.me
  |--> dwsrv4.csdownload.me

- linegrafica.es
 \
  |--> sd4540.linegrafica.es

IP Addresses:
- 188.165.223.225 [sd4540.linegrafica.es]
 \
  |--> Potentially malicious file hosting.
  |--> Alive host.
  |--> Location => Paris, France
  |--> Whois descr => OVH SAS / Dedicated Servers
  |--> 21(ftp), 22(ssh), 25(smtp), 80(http), 110(pop3), 143(imap)
   \-> 443(https), 465(smtps), 587(submission), 993(imaps), 995(pop3s), 2222(EtherNetIP-1)
   \-> 3306(mysql), 5666(nrpe) open

- 37.59.144.82 [ip82.ip-37-59-144.eu]
 \
  |--> Alive host.
  |--> Dropping icmp and tcp/syn packets
  |--> Location => Paris, France
  |--> Whois descr => OVH Static IP

- 213.251.172.94 [ip94.ip-213-251-172.eu]
 \
  |--> Alive host.
  |--> 21(ftp), 80(http), 443(https) open
  |--> Location => Paris, France
  |--> Whois descr => OVH SAS / Dedicated Servers
---------------------------------------------------

Linked DLL Files:
-------------------------------
- USER32.dll & user32.dll
- ADVAPI32.dll & advapi32.dll
- SHELL32.dll
- KERNEL32.dll & kernel32.dll
-------------------------------
