Loading ...

Play interactive tourEdit tour

Analysis Report Gd6m5pifUi

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:141294
Start date:13.06.2019
Start time:00:26:38
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 13m 53s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Gd6m5pifUi (renamed file extension from none to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:20
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.phis.troj.spyw.evad.winEXE@9/7@8/3
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 3.6% (good quality ratio 2.2%)
  • Quality average: 46.6%
  • Quality standard deviation: 39.6%
HCA Information:
  • Successful, ratio: 99%
  • Number of executed functions: 431
  • Number of non-executed functions: 5
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, sc.exe, TiWorker.exe, WMIADAP.exe, SIHClient.exe, MusNotifyIcon.exe, conhost.exe, CompatTelRunner.exe, TrustedInstaller.exe
  • Excluded IPs from analysis (whitelisted): 52.155.172.105, 13.68.93.109, 23.10.249.17, 23.10.249.50, 13.107.4.50
  • Excluded domains from analysis (whitelisted): sls.emea.update.microsoft.com.akadns.net, au.download.windowsupdate.com.edgesuite.net, au.au-msedge.net, sls.update.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, sls.update.microsoft.com, settings-win.data.microsoft.com, ctldl.windowsupdate.com, c-0001.c-msedge.net, a767.dscg3.akamai.net, au.c-0001.c-msedge.net, settingsfd-geo.trafficmanager.net
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadVirtualMemory calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold1000 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Management Instrumentation111Registry Run Keys / Startup Folder1Access Token Manipulation1Software Packing12Credential Dumping2Account Discovery1Remote File Copy2Data from Local System2Data Encrypted1Remote File Copy2
Replication Through Removable MediaService ExecutionPort MonitorsProcess Injection11Disabling Security Tools1Credentials in Files2Security Software Discovery121Remote ServicesInput Capture21Exfiltration Over Other Network MediumStandard Cryptographic Protocol1
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionObfuscated Files or Information2Input Capture21File and Directory Discovery1Windows Remote ManagementClipboard Data1Automated ExfiltrationStandard Non-Application Layer Protocol3
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingMasquerading1Credentials in Registry2System Information Discovery112Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol13
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessAccess Token Manipulation1Account ManipulationQuery Registry1Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceProcess Injection11Brute ForceProcess Discovery2Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port
Spearphishing via ServiceScriptingPath InterceptionScheduled TaskDLL Side-Loading1Two-Factor Authentication InterceptionSystem Owner/User Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used Port
Supply Chain CompromiseThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistoryRemote System Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer Protocol
Trusted RelationshipRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess InjectionInput PromptSystem Network Configuration Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer Encryption

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: http://tonishl.ml/nonso/WebPanel/api.phpAvira URL Cloud: Label: malware
Source: http://tonishl.mlAvira URL Cloud: Label: malware
Antivirus or Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeAvira: Label: HEUR/AGEN.1015993
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for sampleShow sources
Source: Gd6m5pifUi.exeAvira: Label: HEUR/AGEN.1015993
Source: Gd6m5pifUi.exeJoe Sandbox ML: detected
Multi AV Scanner detection for domain / URLShow sources
Source: tonishl.mlvirustotal: Detection: 8%Perma Link
Source: http://tonishl.ml/nonso/WebPanel/api.phpvirustotal: Detection: 9%Perma Link
Source: http://tonishl.mlvirustotal: Detection: 8%Perma Link
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exevirustotal: Detection: 77%Perma Link
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exemetadefender: Detection: 36%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: Gd6m5pifUi.exevirustotal: Detection: 77%Perma Link
Source: Gd6m5pifUi.exemetadefender: Detection: 36%Perma Link
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 18.2.Oxford Health Plans Inc.exe.800000.1.unpackAvira: Label: TR/Dropper.Gen
Source: 17.2.Oxford Health Plans Inc.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 1.2.Gd6m5pifUi.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 0.1.Gd6m5pifUi.exe.970000.0.unpackJoe Sandbox ML: detected
Source: 0.0.Gd6m5pifUi.exe.970000.0.unpackJoe Sandbox ML: detected
Source: 1.1.Gd6m5pifUi.exe.4f0000.0.unpackJoe Sandbox ML: detected
Source: 17.1.Oxford Health Plans Inc.exe.4d0000.0.unpackJoe Sandbox ML: detected
Source: 18.2.Oxford Health Plans Inc.exe.3c0000.0.unpackJoe Sandbox ML: detected
Source: 15.2.Oxford Health Plans Inc.exe.ab0000.0.unpackJoe Sandbox ML: detected
Source: 15.0.Oxford Health Plans Inc.exe.ab0000.0.unpackJoe Sandbox ML: detected
Source: 0.2.Gd6m5pifUi.exe.71c0000.4.unpackJoe Sandbox ML: detected
Source: 1.2.Gd6m5pifUi.exe.4f0000.1.unpackJoe Sandbox ML: detected
Source: 18.0.Oxford Health Plans Inc.exe.3c0000.0.unpackJoe Sandbox ML: detected
Source: 1.0.Gd6m5pifUi.exe.4f0000.0.unpackJoe Sandbox ML: detected
Source: 0.2.Gd6m5pifUi.exe.6ca0000.2.unpackJoe Sandbox ML: detected
Source: 18.2.Oxford Health Plans Inc.exe.800000.1.unpackJoe Sandbox ML: detected
Source: 17.2.Oxford Health Plans Inc.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 16.2.Oxford Health Plans Inc.exe.5d30000.2.unpackJoe Sandbox ML: detected
Source: 0.2.Gd6m5pifUi.exe.970000.0.unpackJoe Sandbox ML: detected
Source: 15.2.Oxford Health Plans Inc.exe.54f0000.2.unpackJoe Sandbox ML: detected
Source: 16.1.Oxford Health Plans Inc.exe.100000.0.unpackJoe Sandbox ML: detected
Source: 15.1.Oxford Health Plans Inc.exe.ab0000.0.unpackJoe Sandbox ML: detected
Source: 1.2.Gd6m5pifUi.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 16.0.Oxford Health Plans Inc.exe.100000.0.unpackJoe Sandbox ML: detected
Source: 15.2.Oxford Health Plans Inc.exe.6810000.4.unpackJoe Sandbox ML: detected
Source: 18.1.Oxford Health Plans Inc.exe.3c0000.0.unpackJoe Sandbox ML: detected
Source: 16.2.Oxford Health Plans Inc.exe.5e30000.4.unpackJoe Sandbox ML: detected
Source: 17.2.Oxford Health Plans Inc.exe.4d0000.1.unpackJoe Sandbox ML: detected
Source: 16.2.Oxford Health Plans Inc.exe.100000.0.unpackJoe Sandbox ML: detected
Source: 17.0.Oxford Health Plans Inc.exe.4d0000.0.unpackJoe Sandbox ML: detected

Networking:

barindex
May check the online IP address of the machineShow sources
Source: unknownDNS query: name: checkip.dyndns.org
Source: unknownDNS query: name: checkip.dyndns.org
Source: unknownDNS query: name: checkip.dyndns.org
Source: unknownDNS query: name: checkip.dyndns.org
Source: unknownDNS query: name: checkip.dyndns.org
Source: unknownDNS query: name: checkip.dyndns.org
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.dyndns.orgConnection: Keep-Alive
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 131.186.113.70 131.186.113.70
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: POST /nonso/WebPanel/api.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: tonishl.mlContent-Length: 306Expect: 100-continueConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /nonso/WebPanel/api.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: tonishl.mlContent-Length: 352Expect: 100-continue
Source: global trafficHTTP traffic detected: POST /nonso/WebPanel/api.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: tonishl.mlContent-Length: 344Expect: 100-continue
Source: global trafficHTTP traffic detected: POST /nonso/WebPanel/api.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: tonishl.mlContent-Length: 306Expect: 100-continue
Source: global trafficHTTP traffic detected: POST /nonso/WebPanel/api.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: tonishl.mlContent-Length: 306Expect: 100-continueConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /nonso/WebPanel/api.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: tonishl.mlContent-Length: 346Expect: 100-continue
Source: global trafficHTTP traffic detected: POST /nonso/WebPanel/api.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: tonishl.mlContent-Length: 344Expect: 100-continue
Source: global trafficHTTP traffic detected: POST /nonso/WebPanel/api.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: tonishl.mlContent-Length: 306Expect: 100-continue
Source: global trafficHTTP traffic detected: POST /nonso/WebPanel/api.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: tonishl.mlContent-Length: 304Expect: 100-continue
Source: global trafficHTTP traffic detected: POST /nonso/WebPanel/api.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: tonishl.mlContent-Length: 306Expect: 100-continue
Source: global trafficHTTP traffic detected: POST /nonso/WebPanel/api.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: tonishl.mlContent-Length: 306Expect: 100-continue
Source: global trafficHTTP traffic detected: POST /nonso/WebPanel/api.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: tonishl.mlContent-Length: 306Expect: 100-continue
Source: global trafficHTTP traffic detected: POST /nonso/WebPanel/api.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: tonishl.mlContent-Length: 306Expect: 100-continue
Source: global trafficHTTP traffic detected: POST /nonso/WebPanel/api.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: tonishl.mlContent-Length: 306Expect: 100-continue
Source: global trafficHTTP traffic detected: POST /nonso/WebPanel/api.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: tonishl.mlContent-Length: 306Expect: 100-continue
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeCode function: 1_2_00DEA09A recv,1_2_00DEA09A
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.dyndns.orgConnection: Keep-Alive
Found strings which match to known social media urlsShow sources
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmpString found in binary or memory: 1qGFMSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365 equals www.hotmail.com (Hotmail)
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmpString found in binary or memory: 1qGFMSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 3654 equals www.hotmail.com (Hotmail)
Source: Oxford Health Plans Inc.exe, 00000011.00000002.1578825839.0000000000B64000.00000004.sdmpString found in binary or memory: MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365 equals www.hotmail.com (Hotmail)
Source: Oxford Health Plans Inc.exe, 00000011.00000002.1578825839.0000000000B64000.00000004.sdmpString found in binary or memory: MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365Kt5 equals www.hotmail.com (Hotmail)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: checkip.dyndns.org
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /nonso/WebPanel/api.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)Content-Type: application/x-www-form-urlencodedHost: tonishl.mlContent-Length: 306Expect: 100-continueConnection: Keep-Alive
Urls found in memory or binary dataShow sources
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmp, Oxford Health Plans Inc.exe, 00000012.00000002.902526592.0000000002B40000.00000004.sdmpString found in binary or memory: http://checkip.dyndns.org
Source: Oxford Health Plans Inc.exe, 00000012.00000002.902526592.0000000002B40000.00000004.sdmpString found in binary or memory: http://checkip.dyndns.org/
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmp, Oxford Health Plans Inc.exe, 00000012.00000002.902526592.0000000002B40000.00000004.sdmpString found in binary or memory: http://checkip.dyndns.orgx&
Source: Gd6m5pifUi.exe, 00000000.00000003.536965647.000000000547C000.00000004.sdmp, Gd6m5pifUi.exe, 00000000.00000003.536054661.000000000546D000.00000004.sdmpString found in binary or memory: http://en.w
Source: Gd6m5pifUi.exe, 00000000.00000003.536054661.000000000546D000.00000004.sdmpString found in binary or memory: http://en.wT
Source: Gd6m5pifUi.exe, 00000000.00000002.644709574.00000000055D6000.00000002.sdmp, Gd6m5pifUi.exe, 00000000.00000003.536727769.000000000546D000.00000004.sdmp, Oxford Health Plans Inc.exe, 0000000F.00000002.849279426.0000000005666000.00000002.sdmp, Oxford Health Plans Inc.exe, 00000010.00000002.875082651.0000000004C16000.00000002.sdmpString found in binary or memory: http://fontfabrik.com
Source: Oxford Health Plans Inc.exe, 00000010.00000003.777574974.0000000004B4B000.00000004.sdmpString found in binary or memory: http://n.
Source: Oxford Health Plans Inc.exe, 00000011.00000002.1578825839.0000000000B64000.00000004.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmpString found in binary or memory: http://tonishl.ml
Source: Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmpString found in binary or memory: http://tonishl.ml/nonso/WebPanel/api.php
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmpString found in binary or memory: http://tonishl.mlx&
Source: Gd6m5pifUi.exe, 00000000.00000002.644709574.00000000055D6000.00000002.sdmp, Oxford Health Plans Inc.exe, 0000000F.00000002.849279426.0000000005666000.00000002.sdmp, Oxford Health Plans Inc.exe, 00000010.00000002.875082651.0000000004C16000.00000002.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Gd6m5pifUi.exe, 00000000.00000003.545973336.0000000005476000.00000004.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: Gd6m5pifUi.exe, 00000000.00000003.540660425.000000000546D000.00000004.sdmp, Gd6m5pifUi.exe, 00000000.00000003.541419337.000000000547D000.00000004.sdmpString found in binary or memory: http://www.carterandcone.com
Source: Gd6m5pifUi.exe, 00000000.00000003.540660425.000000000546D000.00000004.sdmpString found in binary or memory: http://www.carterandcone.comC
Source: Gd6m5pifUi.exe, 00000000.00000003.541419337.000000000547D000.00000004.sdmpString found in binary or memory: http://www.carterandcone.comF
Source: Gd6m5pifUi.exe, 00000000.00000003.540607138.000000000546D000.00000004.sdmpString found in binary or memory: http://www.carterandcone.comG
Source: Gd6m5pifUi.exe, 00000000.00000003.540660425.000000000546D000.00000004.sdmp, Gd6m5pifUi.exe, 00000000.00000003.540814625.000000000546D000.00000004.sdmpString found in binary or memory: http://www.carterandcone.comTC
Source: Gd6m5pifUi.exe, 00000000.00000003.541419337.000000000547D000.00000004.sdmpString found in binary or memory: http://www.carterandcone.comTCE
Source: Gd6m5pifUi.exe, 00000000.00000003.542363025.0000000005475000.00000004.sdmpString found in binary or memory: http://www.carterandcone.coma
Source: Gd6m5pifUi.exe, 00000000.00000003.540660425.000000000546D000.00000004.sdmpString found in binary or memory: http://www.carterandcone.comageL
Source: Gd6m5pifUi.exe, 00000000.00000002.644709574.00000000055D6000.00000002.sdmp, Oxford Health Plans Inc.exe, 0000000F.00000002.849279426.0000000005666000.00000002.sdmp, Oxford Health Plans Inc.exe, 00000010.00000002.875082651.0000000004C16000.00000002.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: Gd6m5pifUi.exe, 00000000.00000003.540814625.000000000546D000.00000004.sdmpString found in binary or memory: http://www.carterandcone.como.
Source: Gd6m5pifUi.exe, 00000000.00000003.540660425.000000000546D000.00000004.sdmpString found in binary or memory: http://www.carterandcone.comorm
Source: Gd6m5pifUi.exe, 00000000.00000003.541419337.000000000547D000.00000004.sdmpString found in binary or memory: http://www.carterandcone.compef
Source: Gd6m5pifUi.exe, 00000000.00000003.544000452.0000000005474000.00000004.sdmpString found in binary or memory: http://www.carterandcone.coms
Source: Gd6m5pifUi.exe, 00000000.00000003.536255427.000000000546D000.00000004.sdmp, Oxford Health Plans Inc.exe, 0000000F.00000002.849279426.0000000005666000.00000002.sdmp, Oxford Health Plans Inc.exe, 00000010.00000002.875082651.0000000004C16000.00000002.sdmpString found in binary or memory: http://www.fonts.com
Source: Gd6m5pifUi.exe, 00000000.00000003.539473942.0000000005478000.00000004.sdmp, Oxford Health Plans Inc.exe, 0000000F.00000002.849279426.0000000005666000.00000002.sdmp, Oxford Health Plans Inc.exe, 00000010.00000002.875082651.0000000004C16000.00000002.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: Gd6m5pifUi.exe, 00000000.00000002.644709574.00000000055D6000.00000002.sdmp, Oxford Health Plans Inc.exe, 0000000F.00000002.849279426.0000000005666000.00000002.sdmp, Oxford Health Plans Inc.exe, 00000010.00000002.875082651.0000000004C16000.00000002.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Gd6m5pifUi.exe, 00000000.00000002.644709574.00000000055D6000.00000002.sdmp, Oxford Health Plans Inc.exe, 0000000F.00000002.849279426.0000000005666000.00000002.sdmp, Oxford Health Plans Inc.exe, 00000010.00000002.875082651.0000000004C16000.00000002.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Gd6m5pifUi.exe, 00000000.00000003.538919984.000000000546D000.00000004.sdmpString found in binary or memory: http://www.founder.com.cn/cn/is8
Source: Gd6m5pifUi.exe, 00000000.00000003.539864917.0000000005479000.00000004.sdmpString found in binary or memory: http://www.founder.com.cn/cn/sb
Source: Gd6m5pifUi.exe, 00000000.00000003.539576188.000000000546D000.00000004.sdmpString found in binary or memory: http://www.founder.com.cn/cnE
Source: Gd6m5pifUi.exe, 00000000.00000003.539473942.0000000005478000.00000004.sdmpString found in binary or memory: http://www.founder.com.cn/cnO
Source: Gd6m5pifUi.exe, 00000000.00000003.538780230.000000000546D000.00000004.sdmp, Oxford Health Plans Inc.exe, 0000000F.00000002.849279426.0000000005666000.00000002.sdmp, Oxford Health Plans Inc.exe, 00000010.00000002.875082651.0000000004C16000.00000002.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: Gd6m5pifUi.exe, 00000000.00000003.538780230.000000000546D000.00000004.sdmpString found in binary or memory: http://www.goodfont.co.krde
Source: Gd6m5pifUi.exe, 00000000.00000002.644709574.00000000055D6000.00000002.sdmp, Oxford Health Plans Inc.exe, 0000000F.00000002.849279426.0000000005666000.00000002.sdmp, Oxford Health Plans Inc.exe, 00000010.00000002.875082651.0000000004C16000.00000002.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Gd6m5pifUi.exe, 00000000.00000003.544000452.0000000005474000.00000004.sdmpString found in binary or memory: http://www.monotype.
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmpString found in binary or memory: http://www.msn.com/
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp4
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmpString found in binary or memory: http://www.msn.com/D
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmpString found in binary or memory: http://www.msn.com/P
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmpString found in binary or memory: http://www.msn.com/de-ch/
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmpString found in binary or memory: http://www.msn.com/de-ch/D
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmpString found in binary or memory: http://www.msn.com/de-ch/P
Source: Gd6m5pifUi.exe, 00000000.00000003.536054661.000000000546D000.00000004.sdmp, Gd6m5pifUi.exe, 00000000.00000003.535724767.000000000546D000.00000004.sdmp, Gd6m5pifUi.exe, 00000000.00000002.644709574.00000000055D6000.00000002.sdmp, Oxford Health Plans Inc.exe, 0000000F.00000002.849279426.0000000005666000.00000002.sdmp, Oxford Health Plans Inc.exe, 00000010.00000002.875082651.0000000004C16000.00000002.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: Gd6m5pifUi.exe, 00000000.00000003.536054661.000000000546D000.00000004.sdmpString found in binary or memory: http://www.sajatypeworks.com?
Source: Gd6m5pifUi.exe, 00000000.00000003.535724767.000000000546D000.00000004.sdmpString found in binary or memory: http://www.sajatypeworks.comn
Source: Gd6m5pifUi.exe, 00000000.00000003.535724767.000000000546D000.00000004.sdmpString found in binary or memory: http://www.sajatypeworks.comothx
Source: Gd6m5pifUi.exe, 00000000.00000003.546241271.0000000005476000.00000004.sdmp, Oxford Health Plans Inc.exe, 0000000F.00000002.849279426.0000000005666000.00000002.sdmp, Oxford Health Plans Inc.exe, 00000010.00000002.875082651.0000000004C16000.00000002.sdmpString found in binary or memory: http://www.sakkal.com
Source: Gd6m5pifUi.exe, 00000000.00000003.546241271.0000000005476000.00000004.sdmpString found in binary or memory: http://www.sakkal.com-p
Source: Gd6m5pifUi.exe, 00000000.00000003.546241271.0000000005476000.00000004.sdmpString found in binary or memory: http://www.sakkal.comva
Source: Gd6m5pifUi.exe, 00000000.00000003.538655190.000000000546D000.00000004.sdmp, Gd6m5pifUi.exe, 00000000.00000003.538780230.000000000546D000.00000004.sdmp, Oxford Health Plans Inc.exe, 0000000F.00000002.849279426.0000000005666000.00000002.sdmp, Oxford Health Plans Inc.exe, 00000010.00000002.875082651.0000000004C16000.00000002.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: Gd6m5pifUi.exe, 00000000.00000003.538780230.000000000546D000.00000004.sdmpString found in binary or memory: http://www.sandoll.co.kr#
Source: Gd6m5pifUi.exe, 00000000.00000003.538780230.000000000546D000.00000004.sdmpString found in binary or memory: http://www.sandoll.co.krF
Source: Oxford Health Plans Inc.exe, 00000010.00000002.875082651.0000000004C16000.00000002.sdmpString found in binary or memory: http://www.tiro.com
Source: Gd6m5pifUi.exe, 00000000.00000003.537130103.000000000546D000.00000004.sdmp, Gd6m5pifUi.exe, 00000000.00000003.536830610.000000000546D000.00000004.sdmpString found in binary or memory: http://www.typography.net
Source: Gd6m5pifUi.exe, 00000000.00000003.536925482.000000000546D000.00000004.sdmpString found in binary or memory: http://www.typography.net0k-s_
Source: Gd6m5pifUi.exe, 00000000.00000002.644709574.00000000055D6000.00000002.sdmp, Oxford Health Plans Inc.exe, 0000000F.00000002.849279426.0000000005666000.00000002.sdmp, Oxford Health Plans Inc.exe, 00000010.00000002.875082651.0000000004C16000.00000002.sdmpString found in binary or memory: http://www.typography.netD
Source: Gd6m5pifUi.exe, 00000000.00000003.537798574.000000000546D000.00000004.sdmpString found in binary or memory: http://www.typography.netiv
Source: Gd6m5pifUi.exe, 00000000.00000003.537130103.000000000546D000.00000004.sdmpString found in binary or memory: http://www.typography.netpr
Source: Gd6m5pifUi.exe, 00000000.00000003.537130103.000000000546D000.00000004.sdmpString found in binary or memory: http://www.typography.netro9
Source: Gd6m5pifUi.exe, 00000000.00000003.540660425.000000000546D000.00000004.sdmp, Oxford Health Plans Inc.exe, 0000000F.00000002.849279426.0000000005666000.00000002.sdmp, Oxford Health Plans Inc.exe, 00000010.00000002.875082651.0000000004C16000.00000002.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: Oxford Health Plans Inc.exe, 00000011.00000002.1583720573.00000000060E0000.00000004.sdmpString found in binary or memory: https://login.live.U
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfD
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfP
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=10334
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfD
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfP
Source: Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf
Source: Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1583720573.00000000060E0000.00000004.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfP
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfh~
Source: Oxford Health Plans Inc.exe, 00000011.00000002.1583720573.00000000060E0000.00000004.sdmpString found in binary or memory: https://tarifrechner.heise.de/wid
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmpString found in binary or memory: https://tarifrechner.heise.de/widget.php
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmpString found in binary or memory: https://tarifrechner.heise.de/widget.php?produkt=dsl
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmpString found in binary or memory: https://tarifrechner.heise.de/widget.php?produkt=dsl4
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmpString found in binary or memory: https://tarifrechner.heise.de/widget.phpD
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmpString found in binary or memory: https://tarifrechner.heise.de/widget.phpP

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Detected Agent Tesla keyloggerShow sources
Source: Oxford Health Plans Inc.exe, 00000012.00000002.897827866.0000000000802000.00000040.sdmpMemory string: get_Clipboard
Source: Oxford Health Plans Inc.exe, 00000012.00000002.897827866.0000000000802000.00000040.sdmpMemory string: set_Sendwebcam
Source: Oxford Health Plans Inc.exe, 00000012.00000002.897827866.0000000000802000.00000040.sdmpMemory string: get_ComputerName
Source: Oxford Health Plans Inc.exe, 00000012.00000002.897827866.0000000000802000.00000040.sdmpMemory string: get_UserName
Installs a global keyboard hookShow sources
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\Gd6m5pifUi.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeJump to behavior
Creates a window with clipboard capturing capabilitiesShow sources
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

System Summary:

barindex
.NET source code contains very large array initializationsShow sources
Source: 0.1.Gd6m5pifUi.exe.970000.0.unpack, a4attempt4/?.csLarge array initialization: GetByte: array initializer size 74240
Source: 0.0.Gd6m5pifUi.exe.970000.0.unpack, a4attempt4/?.csLarge array initialization: GetByte: array initializer size 74240
Source: 0.2.Gd6m5pifUi.exe.970000.0.unpack, a4attempt4/?.csLarge array initialization: GetByte: array initializer size 74240
Source: Oxford Health Plans Inc.exe.1.dr, a4attempt4/?.csLarge array initialization: GetByte: array initializer size 74240
Source: 1.1.Gd6m5pifUi.exe.4f0000.0.unpack, a4attempt4/?.csLarge array initialization: GetByte: array initializer size 74240
Source: 1.2.Gd6m5pifUi.exe.4f0000.1.unpack, a4attempt4/?.csLarge array initialization: GetByte: array initializer size 74240
Source: 1.0.Gd6m5pifUi.exe.4f0000.0.unpack, a4attempt4/?.csLarge array initialization: GetByte: array initializer size 74240
Source: 15.0.Oxford Health Plans Inc.exe.ab0000.0.unpack, a4attempt4/?.csLarge array initialization: GetByte: array initializer size 74240
Source: 15.1.Oxford Health Plans Inc.exe.ab0000.0.unpack, a4attempt4/?.csLarge array initialization: GetByte: array initializer size 74240
Source: 16.1.Oxford Health Plans Inc.exe.100000.0.unpack, a4attempt4/?.csLarge array initialization: GetByte: array initializer size 74240
Source: 16.0.Oxford Health Plans Inc.exe.100000.0.unpack, a4attempt4/?.csLarge array initialization: GetByte: array initializer size 74240
Source: 16.2.Oxford Health Plans Inc.exe.100000.0.unpack, a4attempt4/?.csLarge array initialization: GetByte: array initializer size 74240
Source: 17.1.Oxford Health Plans Inc.exe.4d0000.0.unpack, a4attempt4/?.csLarge array initialization: GetByte: array initializer size 74240
Source: 17.2.Oxford Health Plans Inc.exe.4d0000.1.unpack, a4attempt4/?.csLarge array initialization: GetByte: array initializer size 74240
Source: 17.0.Oxford Health Plans Inc.exe.4d0000.0.unpack, a4attempt4/?.csLarge array initialization: GetByte: array initializer size 74240
Source: 18.2.Oxford Health Plans Inc.exe.3c0000.0.unpack, a4attempt4/?.csLarge array initialization: GetByte: array initializer size 74240
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeCode function: 1_2_05692AE2 NtQuerySystemInformation,1_2_05692AE2
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeCode function: 1_2_05692AB1 NtQuerySystemInformation,1_2_05692AB1
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeCode function: 17_2_05512C0A NtQuerySystemInformation,17_2_05512C0A
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeCode function: 17_2_05512BD9 NtQuerySystemInformation,17_2_05512BD9
Creates files inside the system directoryShow sources
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeFile created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.newJump to behavior
Creates mutexesShow sources
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeCode function: 0_2_009753360_2_00975336
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeCode function: 0_2_052927380_2_05292738
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeCode function: 0_2_05290EC00_2_05290EC0
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeCode function: 1_2_004F53361_2_004F5336
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeCode function: 1_2_04CD2E401_2_04CD2E40
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeCode function: 1_2_04CD10581_2_04CD1058
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeCode function: 1_2_04CD13C51_2_04CD13C5
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeCode function: 1_2_04CD11F21_2_04CD11F2
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeCode function: 1_2_04CD10481_2_04CD1048
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeCode function: 1_2_04CD140D1_2_04CD140D
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeCode function: 1_2_04CD2E3A1_2_04CD2E3A
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeCode function: 1_2_0623EC301_2_0623EC30
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeCode function: 1_2_0623AA901_2_0623AA90
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeCode function: 1_2_062355501_2_06235550
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeCode function: 1_2_0623A3E01_2_0623A3E0
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeCode function: 1_2_062307F41_2_062307F4
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeCode function: 1_2_0623AA811_2_0623AA81
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeCode function: 15_2_00AB533615_2_00AB5336
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeCode function: 15_2_02D8273815_2_02D82738
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeCode function: 15_2_02D80EC015_2_02D80EC0
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeCode function: 16_2_0010533616_2_00105336
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeCode function: 16_2_048C273816_2_048C2738
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeCode function: 16_2_048C4A7016_2_048C4A70
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeCode function: 16_2_048C0EC016_2_048C0EC0
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeCode function: 17_2_004D533617_2_004D5336
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeCode function: 17_2_00EF2E4017_2_00EF2E40
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeCode function: 17_2_00EF105817_2_00EF1058
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeCode function: 17_2_00EF140D17_2_00EF140D
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeCode function: 17_2_00EF11F217_2_00EF11F2
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeCode function: 17_2_00EF13C517_2_00EF13C5
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeCode function: 17_2_05FBB4F817_2_05FBB4F8
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeCode function: 17_2_05FBEC3817_2_05FBEC38
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeCode function: 17_2_05FB07F417_2_05FB07F4
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeCode function: 17_2_05FBBBA817_2_05FBBBA8
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeCode function: 17_2_05FB560017_2_05FB5600
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeCode function: 17_2_05FBBB9917_2_05FBBB99
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeCode function: 18_2_003C533618_2_003C5336
Reads the hosts fileShow sources
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeFile read: C:\Windows\System32\drivers\etc\hosts
Sample file is different than original file name gathered from version infoShow sources
Source: Gd6m5pifUi.exe, 00000000.00000002.647865143.00000000071A0000.00000002.sdmpBinary or memory string: OriginalFilenameuser32j% vs Gd6m5pifUi.exe
Source: Gd6m5pifUi.exe, 00000000.00000001.533165349.00000000009E8000.00000002.sdmpBinary or memory string: OriginalFilenameEmeka.exe vs Gd6m5pifUi.exe
Source: Gd6m5pifUi.exe, 00000000.00000002.643595461.0000000004283000.00000004.sdmpBinary or memory string: OriginalFilenameIELibrary.dll4 vs Gd6m5pifUi.exe
Source: Gd6m5pifUi.exe, 00000000.00000002.643595461.0000000004283000.00000004.sdmpBinary or memory string: VALUE "OriginalFilename", "%exename%" vs Gd6m5pifUi.exe
Source: Gd6m5pifUi.exe, 00000000.00000002.646964949.0000000006C40000.00000002.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Gd6m5pifUi.exe
Source: Gd6m5pifUi.exe, 00000000.00000002.647896731.00000000071C0000.00000004.sdmpBinary or memory string: OriginalFilenameeconomymode.exe8 vs Gd6m5pifUi.exe
Source: Gd6m5pifUi.exe, 00000001.00000002.1574172753.0000000004D70000.00000002.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs Gd6m5pifUi.exe
Source: Gd6m5pifUi.exe, 00000001.00000001.637166473.0000000000568000.00000002.sdmpBinary or memory string: OriginalFilenameEmeka.exe vs Gd6m5pifUi.exe
Source: Gd6m5pifUi.exe, 00000001.00000002.1568848241.0000000000402000.00000040.sdmpBinary or memory string: OriginalFilenameIELibrary.dll4 vs Gd6m5pifUi.exe
Source: Gd6m5pifUi.exe, 00000001.00000002.1568848241.0000000000402000.00000040.sdmpBinary or memory string: VALUE "OriginalFilename", "%exename%" vs Gd6m5pifUi.exe
Source: Gd6m5pifUi.exe, 00000001.00000002.1574439204.0000000005150000.00000002.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Gd6m5pifUi.exe
Source: Gd6m5pifUi.exe, 00000001.00000002.1575773247.0000000006180000.00000002.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Gd6m5pifUi.exe
Source: Gd6m5pifUi.exeBinary or memory string: OriginalFilenameEmeka.exe vs Gd6m5pifUi.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeFile read: C:\Users\user\Desktop\Gd6m5pifUi.exeJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeSection loaded: wow64log.dll
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)Show sources
Source: Gd6m5pifUi.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Oxford Health Plans Inc.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Classification labelShow sources
Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@9/7@8/3
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeCode function: 0_2_07190A1E AdjustTokenPrivileges,0_2_07190A1E
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeCode function: 0_2_071909E7 AdjustTokenPrivileges,0_2_071909E7
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeCode function: 1_2_05692966 AdjustTokenPrivileges,1_2_05692966
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeCode function: 1_2_0569292F AdjustTokenPrivileges,1_2_0569292F
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeCode function: 15_2_054C0A1E AdjustTokenPrivileges,15_2_054C0A1E
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeCode function: 15_2_054C09E7 AdjustTokenPrivileges,15_2_054C09E7
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeCode function: 16_2_062E0A1E AdjustTokenPrivileges,16_2_062E0A1E
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeCode function: 16_2_062E09E7 AdjustTokenPrivileges,16_2_062E09E7
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeCode function: 17_2_05512A8E AdjustTokenPrivileges,17_2_05512A8E
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeCode function: 17_2_05512A57 AdjustTokenPrivileges,17_2_05512A57
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Gd6m5pifUi.exe.logJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: Gd6m5pifUi.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Reads ini filesShow sources
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: Gd6m5pifUi.exevirustotal: Detection: 77%
Source: Gd6m5pifUi.exemetadefender: Detection: 36%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\Gd6m5pifUi.exe 'C:\Users\user\Desktop\Gd6m5pifUi.exe'
Source: unknownProcess created: C:\Users\user\Desktop\Gd6m5pifUi.exe C:\Users\user\Desktop\Gd6m5pifUi.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exe 'C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exe 'C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exe C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exe C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exe
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess created: C:\Users\user\Desktop\Gd6m5pifUi.exe C:\Users\user\Desktop\Gd6m5pifUi.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess created: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exe C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess created: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exe C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
Uses Microsoft SilverlightShow sources
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
PE file contains a COM descriptor data directoryShow sources
Source: Gd6m5pifUi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Uses new MSVCR DllsShow sources
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: Gd6m5pifUi.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbolsShow sources
Source: Binary string: C:\Users\Admin\Desktop\IELibrary\IELibrary\obj\Debug\IELibrary.pdb source: Gd6m5pifUi.exe, 00000000.00000002.643595461.0000000004283000.00000004.sdmp, Gd6m5pifUi.exe, 00000001.00000002.1568848241.0000000000402000.00000040.sdmp, Oxford Health Plans Inc.exe, 0000000F.00000002.847156697.0000000004100000.00000004.sdmp, Oxford Health Plans Inc.exe, 00000010.00000002.874107025.0000000003A71000.00000004.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1577371778.0000000000402000.00000040.sdmp, Oxford Health Plans Inc.exe, 00000012.00000002.897827866.0000000000802000.00000040.sdmp
Source: Binary string: mscorrc.pdb source: Gd6m5pifUi.exe, 00000000.00000002.646964949.0000000006C40000.00000002.sdmp, Gd6m5pifUi.exe, 00000001.00000002.1575773247.0000000006180000.00000002.sdmp, Oxford Health Plans Inc.exe, 0000000F.00000002.851097560.00000000067B0000.00000002.sdmp, Oxford Health Plans Inc.exe, 00000010.00000002.877112596.0000000005DD0000.00000002.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1583456877.0000000005F40000.00000002.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeCode function: 0_2_00975336 push esp; iretd 0_2_009754FC
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeCode function: 1_2_004F5336 push esp; iretd 1_2_004F54FC
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeCode function: 1_2_02670BDA push eax; iretd 1_2_02670BDB
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeCode function: 1_2_0623A350 push eax; retf 1_2_0623A351
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeCode function: 15_2_00AB5336 push esp; iretd 15_2_00AB54FC
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeCode function: 16_2_00105336 push esp; iretd 16_2_001054FC
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeCode function: 16_2_00806DB0 pushad ; retn 0080h16_2_00806DB5
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeCode function: 16_2_00806CD5 pushad ; retn 0080h16_2_00806D99
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeCode function: 17_2_004D5336 push esp; iretd 17_2_004D54FC
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeCode function: 17_2_00CB2AF8 pushad ; retf 17_2_00CB2AF9
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeCode function: 18_2_003C5336 push esp; iretd 18_2_003C54FC
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .text entropy: 7.94723659109
Source: initial sampleStatic PE information: section name: .text entropy: 7.94723659109

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeFile created: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeJump to dropped file

Boot Survival:

barindex
Creates an autostart registry keyShow sources
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Oxford Health Plans IncJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Oxford Health Plans IncJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeFile opened: C:\Users\user\Desktop\Gd6m5pifUi.exe:Zone.Identifier read attributes | deleteJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeFile opened: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exe:Zone.Identifier read attributes | deleteJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeFile opened: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exe:Zone.Identifier read attributes | deleteJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeFile opened: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exe:Zone.Identifier read attributes | deleteJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeFile opened: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exe:Zone.Identifier read attributes | deleteJump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
Source: Gd6m5pifUi.exe, 00000000.00000002.643595461.0000000004283000.00000004.sdmp, Gd6m5pifUi.exe, 00000001.00000002.1568848241.0000000000402000.00000040.sdmp, Oxford Health Plans Inc.exe, 0000000F.00000002.847156697.0000000004100000.00000004.sdmp, Oxford Health Plans Inc.exe, 00000010.00000002.874107025.0000000003A71000.00000004.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1577371778.0000000000402000.00000040.sdmp, Oxford Health Plans Inc.exe, 00000012.00000002.897827866.0000000000802000.00000040.sdmpBinary or memory string: DIR_WATCH.DLL
Source: Gd6m5pifUi.exe, 00000000.00000002.643595461.0000000004283000.00000004.sdmp, Gd6m5pifUi.exe, 00000001.00000002.1568848241.0000000000402000.00000040.sdmp, Oxford Health Plans Inc.exe, 0000000F.00000002.847156697.0000000004100000.00000004.sdmp, Oxford Health Plans Inc.exe, 00000010.00000002.874107025.0000000003A71000.00000004.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1577371778.0000000000402000.00000040.sdmp, Oxford Health Plans Inc.exe, 00000012.00000002.897827866.0000000000802000.00000040.sdmpBinary or memory string: API_LOG.DLL
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeThread delayed: delay time: 1800000Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeThread delayed: delay time: 1800000Jump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\Gd6m5pifUi.exe TID: 4088Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exe TID: 384Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exe TID: 384Thread sleep time: -3600000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exe TID: 4264Thread sleep count: 236 > 30Jump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exe TID: 4264Thread sleep time: -118000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exe TID: 1232Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exe TID: 1500Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exe TID: 1188Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exe TID: 1188Thread sleep time: -3600000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exe TID: 1188Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exe TID: 1184Thread sleep count: 182 > 30Jump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exe TID: 1184Thread sleep time: -91000s >= -30000sJump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeLast function: Thread delayed
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: Gd6m5pifUi.exe, 00000001.00000002.1574439204.0000000005150000.00000002.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1582378637.0000000005130000.00000002.sdmp, Oxford Health Plans Inc.exe, 00000012.00000002.903301771.0000000005040000.00000002.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Oxford Health Plans Inc.exe, 00000012.00000002.897827866.0000000000802000.00000040.sdmpBinary or memory string: vmware
Source: Oxford Health Plans Inc.exe, 00000012.00000002.899587473.0000000000A91000.00000004.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll0
Source: Gd6m5pifUi.exe, 00000001.00000002.1574439204.0000000005150000.00000002.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1582378637.0000000005130000.00000002.sdmp, Oxford Health Plans Inc.exe, 00000012.00000002.903301771.0000000005040000.00000002.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Gd6m5pifUi.exe, 00000001.00000002.1574439204.0000000005150000.00000002.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1582378637.0000000005130000.00000002.sdmp, Oxford Health Plans Inc.exe, 00000012.00000002.903301771.0000000005040000.00000002.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Gd6m5pifUi.exe, 00000001.00000002.1574439204.0000000005150000.00000002.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1582378637.0000000005130000.00000002.sdmp, Oxford Health Plans Inc.exe, 00000012.00000002.903301771.0000000005040000.00000002.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeSystem information queried: KernelDebuggerInformationJump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeCode function: 1_2_04CD20F1 LdrInitializeThunk,1_2_04CD20F1
Enables debug privilegesShow sources
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeProcess token adjusted: DebugJump to behavior
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processesShow sources
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeMemory written: C:\Users\user\Desktop\Gd6m5pifUi.exe base: 400000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeMemory written: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exe base: 400000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exeMemory written: C:\Users\user\AppData\Roaming\Oxford Health Plans Inc\Oxford Health Plans Inc.exe base: 800000 value starts with: 4D5AJump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmpBinary or memory string: <br><span style=font-size:14px;font-style:normal;text-decoration:none;text-transform:none;color:#0099cc;>[Program Manager]<span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;> (06/13/2019 00:29:32)</span></span><br><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font>X
Source: Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmpBinary or memory string: <br><span style=font-size:14px;font-style:normal;text-decoration:none;text-transform:none;color:#0099cc;>[Program Manager]<span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;> (06/13/2019 00:29:32)</span></span><br><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font>X
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmpBinary or memory string: Program Manager
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmpBinary or memory string: <br><span style=font-size:14px;font-style:normal;text-decoration:none;text-transform:none;color:#0099cc;>[Program Manager]<span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;> (06/13/2019 00:28:35)</span></span><br><font color=#008000>{Win}</font><font color=#008000>{Win}</font>r<font color=#008000>{ESC}</font>X
Source: Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmpBinary or memory string: <br><span style=font-size:14px;font-style:normal;text-decoration:none;text-transform:none;color:#0099cc;>[Program Manager]<span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;> (06/13/2019 00:29:32)</span></span><br><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font>X
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmpBinary or memory string: <br><span style=font-size:14px;font-style:normal;text-decoration:none;text-transform:none;color:#0099cc;>[Program Manager]<span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;> (06/13/2019 00:28:35)</span></span><br><font color=#008000>{Win}</font><font color=#008000>{Win}</font>rX
Source: Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmpBinary or memory string: <br><span style=font-size:14px;font-style:normal;text-decoration:none;text-transform:none;color:#0099cc;>[Program Manager]<span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;> (06/13/2019 00:29:32)</span></span><br><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font>X
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmpBinary or memory string: <br><span style=font-size:14px;font-style:normal;text-decoration:none;text-transform:none;color:#0099cc;>[Program Manager]<span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;> (06/13/2019 00:28:35)</span></span><br><font color=#008000>{Win}</font><font color=#008000>{Win}</font>r<font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font>X
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmpBinary or memory string: <br><span style=font-size:14px;font-style:normal;text-decoration:none;text-transform:none;color:#0099cc;>[Program Manager]<span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;> (06/13/2019 00:28:35)</span></span><br><font color=#008000>{Win}</font><font color=#008000>{Win}</font>r<font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font>X
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmpBinary or memory string: <br><span style=font-size:14px;font-style:normal;text-decoration:none;text-transform:none;color:#0099cc;>[Program Manager]<span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;> (06/13/2019 00:28:35)</span></span><br><font color=#008000>{Win}</font><font color=#008000>{Win}</font>r<font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font>X
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmpBinary or memory string: <br><span style=font-size:14px;font-style:normal;text-decoration:none;text-transform:none;color:#0099cc;>[Program Manager]<span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;> (06/13/2019 00:28:35)</span></span><br><font color=#008000>{Win}</font><font color=#008000>{Win}</font>r<font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font>X
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmpBinary or memory string: <br><span style=font-size:14px;font-style:normal;text-decoration:none;text-transform:none;color:#0099cc;>[Program Manager]<span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;> (06/13/2019 00:28:35)</span></span><br><font color=#008000>{Win}</font><font color=#008000>{Win}</font>r<font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font>X
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmpBinary or memory string: <br><span style=font-size:14px;font-style:normal;text-decoration:none;text-transform:none;color:#0099cc;>[Program Manager]<span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;> (06/13/2019 00:28:35)</span></span><br><font color=#008000>{Win}</font>X
Source: Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmpBinary or memory string: <br><span style=font-size:14px;font-style:normal;text-decoration:none;text-transform:none;color:#0099cc;>[Program Manager]<span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;> (06/13/2019 00:29:32)</span></span><br><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font>X
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmpBinary or memory string: <br><span style=font-size:14px;font-style:normal;text-decoration:none;text-transform:none;color:#0099cc;>[Program Manager]<span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;> (06/13/2019 00:28:35)</span></span><br><font color=#008000>{Win}</font><font color=#008000>{Win}</font>X
Source: Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmpBinary or memory string: <br><span style=font-size:14px;font-style:normal;text-decoration:none;text-transform:none;color:#0099cc;>[Program Manager]<span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;> (06/13/2019 00:29:32)</span></span><br>
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmpBinary or memory string: <br><span style=font-size:14px;font-style:normal;text-decoration:none;text-transform:none;color:#0099cc;>[Program Manager]<span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;> (06/13/2019 00:28:35)</span></span><br><font color=#008000>{Win}</font><font color=#008000>{Win}</font>r<font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font>X
Source: Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmpBinary or memory string: <br><span style=font-size:14px;font-style:normal;text-decoration:none;text-transform:none;color:#0099cc;>[Program Manager]<span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;> (06/13/2019 00:29:32)</span></span><br><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font>X
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmpBinary or memory string: Program ManagerD
Source: Gd6m5pifUi.exe, 00000001.00000002.1570811283.00000000011B0000.00000002.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1579743902.00000000012F0000.00000002.sdmpBinary or memory string: Shell_TrayWnd
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmpBinary or memory string: <br><span style=font-size:14px;font-style:normal;text-decoration:none;text-transform:none;color:#0099cc;>[Program Manager]<span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;> (06/13/2019 00:28:35)</span></span><br><font color=#008000>{Win}</font><font color=#008000>{Win}</font>r<font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font>X
Source: Gd6m5pifUi.exe, 00000001.00000002.1570811283.00000000011B0000.00000002.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1579743902.00000000012F0000.00000002.sdmpBinary or memory string: Progman
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmpBinary or memory string: <br><span style=font-size:14px;font-style:normal;text-decoration:none;text-transform:none;color:#0099cc;>[Program Manager]<span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;> (06/13/2019 00:28:35)</span></span><br><font color=#008000>{Win}</font><font color=#008000>{Win}</font>r<font color=#008000>{ESC}</font><font color=#008000>{ESC}</font>X
Source: Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmpBinary or memory string: <br><span style=font-size:14px;font-style:normal;text-decoration:none;text-transform:none;color:#0099cc;>[Program Manager]<span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;> (06/13/2019 00:29:32)</span></span><br><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font>X
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmpBinary or memory string: <br><span style=font-size:14px;font-style:normal;text-decoration:none;text-transform:none;color:#0099cc;>[Program Manager]<span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;> (06/13/2019 00:28:35)</span></span><br>
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmpBinary or memory string: <br><span style=font-size:14px;font-style:normal;text-decoration:none;text-transform:none;color:#0099cc;>[Program Manager]<span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;> (06/13/2019 00:28:35)</span></span><br><font color=#008000>{Win}</font><font color=#008000>{Win}</font>r<font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font>X
Source: Gd6m5pifUi.exe, 00000001.00000002.1570811283.00000000011B0000.00000002.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1579743902.00000000012F0000.00000002.sdmpBinary or memory string: Progmanlock
Source: Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmpBinary or memory string: <br><span style=font-size:14px;font-style:normal;text-decoration:none;text-transform:none;color:#0099cc;>[Program Manager]<span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;> (06/13/2019 00:29:32)</span></span><br><font color=#008000>{ESC}</font>X
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmpBinary or memory string: <br><span style=font-size:14px;font-style:normal;text-decoration:none;text-transform:none;color:#0099cc;>[Program Manager]<span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;> (06/13/2019 00:28:35)</span></span><br><font color=#008000>{Win}</font><font color=#008000>{Win}</font>r<font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font>X
Source: Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmpBinary or memory string: <br><span style=font-size:14px;font-style:normal;text-decoration:none;text-transform:none;color:#0099cc;>[Program Manager]<span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;> (06/13/2019 00:29:32)</span></span><br><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font>
Source: Gd6m5pifUi.exe, 00000001.00000002.1570811283.00000000011B0000.00000002.sdmp, Oxford Health Plans Inc.exe, 00000011.00000002.1579743902.00000000012F0000.00000002.sdmpBinary or memory string: Program Manager>
Source: Gd6m5pifUi.exe, 00000001.00000002.1572382162.0000000002AC0000.00000004.sdmpBinary or memory string: <br><span style=font-size:14px;font-style:normal;text-decoration:none;text-transform:none;color:#0099cc;>[Program Manager]<span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;> (06/13/2019 00:28:35)</span></span><br><font color=#008000>{Win}</font><font color=#008000>{Win}</font>r<font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font>X
Source: Oxford Health Plans Inc.exe, 00000011.00000002.1580856820.0000000002B40000.00000004.sdmpBinary or memory string: <br><span style=font-size:14px;font-style:normal;text-decoration:none;text-transform:none;color:#0099cc;>[Program Manager]<span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;> (06/13/2019 00:29:32)</span></span><br><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font>X

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Gd6m5pifUi.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation