Windows Analysis Report
rb7-1-3.exe

Overview

General Information

Sample name: rb7-1-3.exe
Analysis ID: 1417375
MD5: 4f99f43b39d425d2f6b063ebb19d9845
SHA1: 86cdafd86ffea14982775bb457334b262d4f6b32
SHA256: 96ebf8c80f60ce22d551c7fe24a3f0e81f176f87fd545d9a7fb733b75eb78499
Infos:

Detection

Score: 9
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Code function: 1_2_004540C0 CreateFileW,GetLastError,GetLastError,_wprintf,CloseHandle,GetLastError,_wprintf,CloseHandle,CryptCreateHash,CryptReleaseContext,GetLastError,_wprintf,CloseHandle,CryptReleaseContext,ReadFile,CryptHashData,GetLastError,_wprintf,CryptReleaseContext,CryptDestroyHash,CloseHandle,ReadFile,GetLastError,_wprintf,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,_wprintf,GetLastError,_wprintf,CryptDestroyHash,CryptReleaseContext,CloseHandle, 1_2_004540C0
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Code function: 1_2_0046DEDA CryptReleaseContext,CloseHandle,GetLastError,_LocaleUpdate::_LocaleUpdate,__isleadbyte_l,__cftof,_strlen,__malloc_crt,DecodePointer,DecodePointer,DecodePointer,__aulldvrm,_write_multi_char,_write_string,_write_multi_char,__cftof,_write_string,_write_string,_write_multi_char,_free, 1_2_0046DEDA
Uses 32bit PE files
Source: rb7-1-3.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\rb7-1-3.exe File created: C:\Users\user\AppData\Local\Temp\I1711691362\InstallerData\uninstallmanifest.txt Jump to behavior
Source: rb7-1-3.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: I:\IA_CodeBase\native\Libraries\Win32\remove\Release\remove.pdb source: remove.exe.0.dr
Source: Binary string: I:\IA_CodeBase\native\Libraries\Win32\remove\Release\remove.pdb source: remove.exe.0.dr
Source: Binary string: I:\IA_CodeBase\main\ZGWin32LaunchHelper\Release\ZGWin32LaunchHelper.pdb source: ZGWin32LaunchHelper.exe.0.dr
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_2_00C28300 LoadStringW,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,LoadStringW,GetCurrentDirectoryW,_wcscpy,_wcscpy,GetTempPathW,SetCurrentDirectoryW,CreateDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,GetCurrentDirectoryW,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,__time64,__swprintf,CreateDirectoryW,GetFullPathNameW,GetFullPathNameW,SetCurrentDirectoryW,SetCurrentDirectoryW,RemoveDirectoryW,GetCurrentDirectoryW,_wcscat,_wcscpy,_wcscpy,SetCurrentDirectoryW,RemoveDirectoryW,GetModuleFileNameW,__wsplitpath,SetCurrentDirectoryW,RemoveDirectoryW,SetCurrentDirectoryW,RemoveDirectoryW,__fread_nolock,_wcscpy,_wcscat,_wcscat,__swprintf,_wcscpy,SetCurrentDirectoryW,RemoveDirectoryW,SetCurrentDirectoryW,RemoveDirectoryW,_fseek,_fseek,SetCurrentDirectoryW,SetCurrentDirectoryW,RemoveDirectoryW,SetCurrentDirectoryW,RemoveDirectoryW,SetCurrentDirectoryW,RemoveDirectoryW,__aulldiv,GetModuleFileNameW,GetLastError,SetCurrentDirectoryW,SetCurrentDirectoryW,RemoveDirectoryW,SetCurrentDirectoryW,RemoveDirectoryW,SetCurrentDirectoryW,RemoveDirectoryW,GetKeyState,__swprintf,PathIsDirectoryW,_wcscpy,_wcscpy,__swprintf,FindFirstFileW,_wprintf,FindClose,__swprintf,GetConsoleWindow,ShowWindow,SetCurrentDirectoryW,RemoveDirectoryW,_wcscpy,_wcscat,SetCurrentDirectoryW,RemoveDirectoryW,LoadStringW,GetModuleFileNameW,_wcscpy,_wcscat,WideCharToMultiByte,WideCharToMultiByte,GetLastError,SetCurrentDirectoryW,RemoveDirectoryW,LoadStringW,_wcscpy,_wcscat,_wcscat,__swprintf,_wcscpy,SetCurrentDirectoryW,_memset,_memset,__wsplitpath,_wcscpy,_wcscat,_wcscpy,GetCommandLineW,_wcscpy,__swprintf,FindFirstFileW,_wprintf,_wcscpy,__swprintf,FindFirstFileW,_wprintf,FindClose,FindClose,__swprintf,_wcscpy,CreateProcessW,SetCurrentDirectoryW,RemoveDirectoryW, 0_2_00C28300
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_2_00C49722 _wcspbrk,__getdrive,FindFirstFileExW,_wcspbrk,__wfullpath_helper,_IsRootUNCName,GetDriveTypeW,_free,___loctotime64_t,_free,__sopen_s,__fstat64i32,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,GetLastError,__dosmaperr,FindClose, 0_2_00C49722
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_2_00C2B640 __swprintf,PathIsDirectoryW,_wcscpy,_wcscpy,__swprintf,FindFirstFileW,_wprintf,FindClose,__swprintf, 0_2_00C2B640
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_2_00C27980 _memset,_wcscpy,__swprintf,FindFirstFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00C27980
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Code function: 1_2_0044325F __EH_prolog,_wprintf,_wprintf,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,_wprintf,MessageBoxW,EndDialog, 1_2_0044325F
Source: Resource1.zip.0.dr String found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtd
Source: Resource1.zip.0.dr String found in binary or memory: http://apache.org/xml/features/validation/dynamic
Source: Resource1.zip.0.dr String found in binary or memory: http://apache.org/xml/features/validation/schema
Source: Resource1.zip.0.dr String found in binary or memory: http://apache.org/xml/features/validation/schema-full-checking
Source: ZGWin32LaunchHelper.exe.0.dr, remove.exe.0.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Resource1.zip.0.dr String found in binary or memory: http://java.sun.com
Source: Resource1.zip.0.dr String found in binary or memory: http://java.sun.com/jaxb/xjc/dummy-elements
Source: Resource1.zip.0.dr String found in binary or memory: http://java.sun.com/xml/jaxb
Source: Resource1.zip.0.dr String found in binary or memory: http://java.sun.com/xml/ns/jaxb
Source: Resource1.zip.0.dr String found in binary or memory: http://java.sun.com/xml/ns/jaxb/xjc
Source: Resource1.zip.0.dr String found in binary or memory: http://java.sun.com/xml/ns/relaxng/java-datatypes
Source: Resource1.zip.0.dr String found in binary or memory: http://jaxb.dev.java.net
Source: Resource1.zip.0.dr String found in binary or memory: http://jaxb.dev.java.net/
Source: Resource1.zip.0.dr String found in binary or memory: http://nwalsh.com/xcatalog/1.0
Source: ZGWin32LaunchHelper.exe.0.dr, remove.exe.0.dr String found in binary or memory: http://ocsp.thawte.com0
Source: Resource1.zip.0.dr String found in binary or memory: http://relaxng.org/ns/annotation/1.0
Source: Resource1.zip.0.dr String found in binary or memory: http://relaxng.org/ns/compatibility/annotations/1.0
Source: Resource1.zip.0.dr String found in binary or memory: http://relaxng.org/ns/compatibility/datatypes/1.0
Source: Resource1.zip.0.dr String found in binary or memory: http://relaxng.org/ns/structure/0.9
Source: Resource1.zip.0.dr String found in binary or memory: http://relaxng.org/ns/structure/1.0
Source: ZGWin32LaunchHelper.exe.0.dr, remove.exe.0.dr String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: ZGWin32LaunchHelper.exe.0.dr, remove.exe.0.dr String found in binary or memory: http://s2.symcb.com0
Source: ZGWin32LaunchHelper.exe.0.dr, remove.exe.0.dr String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: ZGWin32LaunchHelper.exe.0.dr, remove.exe.0.dr String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: ZGWin32LaunchHelper.exe.0.dr, remove.exe.0.dr String found in binary or memory: http://sv.symcd.com0&
Source: ZGWin32LaunchHelper.exe.0.dr, remove.exe.0.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: ZGWin32LaunchHelper.exe.0.dr, remove.exe.0.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: ZGWin32LaunchHelper.exe.0.dr, remove.exe.0.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Resource1.zip.0.dr String found in binary or memory: http://www.dom4j.org/
Source: rb7-1-3.exe, rb7-1-3.exe, 00000000.00000003.1685765191.0000000001254000.00000004.00000020.00020000.00000000.sdmp, rb7-1-3.exe, 00000000.00000002.1686351924.0000000001254000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.installanywhere.com
Source: Resource1.zip.0.dr String found in binary or memory: http://www.iso-relax.org/catalog
Source: Resource1.zip.0.dr String found in binary or memory: http://www.iso-relax.org/verifier/filter
Source: Resource1.zip.0.dr String found in binary or memory: http://www.iso-relax.org/verifier/handler
Source: Resource1.zip.0.dr String found in binary or memory: http://www.newyorkfed.org/markets/talf.html.
Source: Resource1.zip.0.dr String found in binary or memory: http://www.osc.gov.on.ca/Media/NewsReleases/2008/nr_20080919_csa-sup-temp-order.jsp
Source: Resource1.zip.0.dr String found in binary or memory: http://www.sec.gov/rules/other/2008/34-58592.pdf
Source: Resource1.zip.0.dr String found in binary or memory: http://www.sun.com/policies/trademarks.
Source: Resource1.zip.0.dr String found in binary or memory: http://www.sun.com/xml/developers/resolver/
Source: Resource1.zip.0.dr String found in binary or memory: http://www.sun.com/xml/msv/schema
Source: Resource1.zip.0.dr String found in binary or memory: http://www.sun.com/xml/msv/trex-type
Source: Resource1.zip.0.dr String found in binary or memory: http://www.sun.com/xmlns/jaxb/dom4j-location
Source: Resource1.zip.0.dr String found in binary or memory: http://www.sun.com/xmlns/msv/features/panicMode
Source: ZGWin32LaunchHelper.exe.0.dr, remove.exe.0.dr String found in binary or memory: http://www.symauth.com/cps0(
Source: ZGWin32LaunchHelper.exe.0.dr, remove.exe.0.dr String found in binary or memory: http://www.symauth.com/rpa00
Source: Resource1.zip.0.dr String found in binary or memory: http://www.thaiopensource.com/trex
Source: Resource1.zip.0.dr String found in binary or memory: http://www.xml.gr.jp/relax/core1/relaxCore.dtd
Source: Resource1.zip.0.dr String found in binary or memory: http://www.xml.gr.jp/relax/namespace1/relaxNamespace.dtd
Source: Resource1.zip.0.dr String found in binary or memory: http://www.xml.gr.jp/xmlns/relaxCore
Source: Resource1.zip.0.dr String found in binary or memory: http://www.xml.gr.jp/xmlns/relaxNamespace
Source: Resource1.zip.0.dr String found in binary or memory: http://xml.org/sax/features/namespaces
Source: Resource1.zip.0.dr String found in binary or memory: http://xml.org/sax/features/string-interning
Source: Resource1.zip.0.dr String found in binary or memory: http://xml.org/sax/features/validation
Source: Resource1.zip.0.dr String found in binary or memory: http://xml.org/sax/properties/lexical-handler
Source: ZGWin32LaunchHelper.exe.0.dr, remove.exe.0.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: ZGWin32LaunchHelper.exe.0.dr, remove.exe.0.dr String found in binary or memory: https://d.symcb.com/rpa0
Detected potential crypto function
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_2_00C42277 0_2_00C42277
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_2_00C408B8 0_2_00C408B8
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_2_00C3DAC6 0_2_00C3DAC6
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_2_00C4DE5F 0_2_00C4DE5F
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_2_00C40FE8 0_2_00C40FE8
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_2_00C4A0C0 0_2_00C4A0C0
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_2_00C5D035 0_2_00C5D035
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_2_00C611C3 0_2_00C611C3
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_2_00C4A16D 0_2_00C4A16D
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_2_00C4B2E3 0_2_00C4B2E3
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_2_00C4D5C3 0_2_00C4D5C3
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_2_00C5D5A5 0_2_00C5D5A5
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_2_00C4A661 0_2_00C4A661
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_2_00C40605 0_2_00C40605
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_2_00C5CAC5 0_2_00C5CAC5
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_2_00C4AA79 0_2_00C4AA79
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_2_00C5DD21 0_2_00C5DD21
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_2_00C5ED3F 0_2_00C5ED3F
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_2_00C4AEAE 0_2_00C4AEAE
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Code function: 1_2_0046A0F5 1_2_0046A0F5
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Code function: 1_2_00449D4A 1_2_00449D4A
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Code function: 1_2_0047A061 1_2_0047A061
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Code function: 1_2_00466018 1_2_00466018
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Code function: 1_2_0045B14E 1_2_0045B14E
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Code function: 1_2_004791F9 1_2_004791F9
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Code function: 1_2_0046718E 1_2_0046718E
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Code function: 1_2_0045C341 1_2_0045C341
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Code function: 1_2_0045A42B 1_2_0045A42B
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Code function: 1_2_0047850D 1_2_0047850D
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Code function: 1_2_0046650C 1_2_0046650C
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Code function: 1_2_00471594 1_2_00471594
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Code function: 1_2_00466924 1_2_00466924
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Code function: 1_2_00478A7D 1_2_00478A7D
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Code function: 1_2_0046CA29 1_2_0046CA29
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Code function: 1_2_00459B74 1_2_00459B74
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Code function: 1_2_00465BC2 1_2_00465BC2
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Code function: 1_2_00466D59 1_2_00466D59
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Code function: 1_2_0045ADAC 1_2_0045ADAC
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Code function: 1_2_00465EC0 1_2_00465EC0
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Code function: 1_2_00477F9D 1_2_00477F9D
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: String function: 00C4D8F0 appears 63 times
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: String function: 00C2AAA0 appears 77 times
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Code function: String function: 00460758 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Code function: String function: 00442653 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Code function: String function: 00468020 appears 53 times
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Code function: String function: 0044278B appears 58 times
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Code function: String function: 0047A704 appears 187 times
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Code function: String function: 0045E885 appears 66 times
Sample file is different than original file name gathered from version info
Source: rb7-1-3.exe, 00000000.00000000.1617620698.0000000000C7B000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameiase.exe@ vs rb7-1-3.exe
Source: rb7-1-3.exe, 00000001.00000002.1685358128.0000000000494000.00000002.00000001.01000000.00000004.sdmp Binary or memory string: OriginalFilenamegui.exe@ vs rb7-1-3.exe
Source: rb7-1-3.exe, 00000001.00000002.1685465745.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamejava.exeN vs rb7-1-3.exe
Source: rb7-1-3.exe, 00000001.00000002.1685465745.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamejavaw.exeN vs rb7-1-3.exe
Source: rb7-1-3.exe Binary or memory string: OriginalFilenameiase.exe@ vs rb7-1-3.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\rb7-1-3.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\rb7-1-3.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\rb7-1-3.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\rb7-1-3.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\rb7-1-3.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\rb7-1-3.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\rb7-1-3.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\rb7-1-3.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\rb7-1-3.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\rb7-1-3.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\rb7-1-3.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Section loaded: wintypes.dll Jump to behavior
Uses 32bit PE files
Source: rb7-1-3.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: clean9.winEXE@3/22@0/0
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_2_00C28100 GetVersionExW,GetDiskFreeSpaceW,LoadLibraryW,GetProcAddress,GetDiskFreeSpaceW,GetDiskFreeSpaceExA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 0_2_00C28100
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_2_00C2AA50 FindResourceW,LoadResource, 0_2_00C2AA50
Source: C:\Users\user\Desktop\rb7-1-3.exe File created: C:\Users\user\AppData\Local\Temp\I1711691362 Jump to behavior
Source: C:\Users\user\Desktop\rb7-1-3.exe Command line argument: LAX_DEBUG 0_2_00C273B0
Source: C:\Users\user\Desktop\rb7-1-3.exe Command line argument: TRUE 0_2_00C273B0
Source: C:\Users\user\Desktop\rb7-1-3.exe Command line argument: true 0_2_00C273B0
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Command line argument: silent 1_2_004552D1
Source: rb7-1-3.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\rb7-1-3.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: rb7-1-3.exe String found in binary or memory: lax.installer.win32.internal.property.0= lax.nl.current.vm= lax.nl.java.option.java.heap.size.max=50331648 lax.nl.win32.microsoftvm.min.version=3167 lax.class.path=../InstallerData/IAClasses.zip;../InstallerData/Execute.zip;InstallerData/Execute.zi
Source: rb7-1-3.exe String found in binary or memory: ;../InstallerData/Resource1.zip;InstallerData/Resource1.zip;../InstallerData;InstallerData lax.nl.java.option.additional=
Source: rb7-1-3.exe String found in binary or memory: n en donde extraer el instalador./InstallAnywhere est
Source: rb7-1-3.exe String found in binary or memory: jlt.<Riprovare con un'altra copia del programma di installazione.9Spazio su disco insufficiente per la cartella temporanea.PSelezionare una posizione temporanea per estrarre il programma di installazione:JSelezionare un'altra posizione per estrarre il programma di installazione:3Installazione di InstallAnywhere in preparazione...3Programma di auto-installazione di InstallAnywhere.'Impossibile estrarre il file compresso./Nessun file compresso nel programma eseguibile.!Numero magico non corrispondente.
Source: rb7-1-3.exe String found in binary or memory: .PAEProbeer opnieuw met een ander exemplaar van het installatieprogramma.7Onvoldoende vrije schijfruimte in de tijdelijke folder.IKies een tijdelijke locatie om het installatieprogramma te decomprimeren:EKies een andere locatie om het installatieprogramma te decomprimeren:@InstallAnywhere is bezig met het voorbereiden van de installatie"InstallAnywhere zelf-installeerder>Decomprimeren van het gecomprimeerde bestand is niet mogelijk.5Dit opdrachtbestand bevat geen gecomprimeerd bestand.
Source: rb7-1-3.exe String found in binary or memory: InstallerData/InstalledMedias.properties184e44526c0
Source: rb7-1-3.exe String found in binary or memory: InstallerData/InstalledMedias.properties184e44526c0PK
Source: C:\Users\user\Desktop\rb7-1-3.exe File read: C:\Users\user\Desktop\rb7-1-3.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\rb7-1-3.exe "C:\Users\user\Desktop\rb7-1-3.exe"
Source: C:\Users\user\Desktop\rb7-1-3.exe Process created: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe
Source: C:\Users\user\Desktop\rb7-1-3.exe Process created: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Development Kit Jump to behavior
Source: C:\Users\user\Desktop\rb7-1-3.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Automated click: OK
Source: rb7-1-3.exe Static file information: File size 26991074 > 1048576
Source: rb7-1-3.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: I:\IA_CodeBase\native\Libraries\Win32\remove\Release\remove.pdb source: remove.exe.0.dr
Source: Binary string: I:\IA_CodeBase\native\Libraries\Win32\remove\Release\remove.pdb source: remove.exe.0.dr
Source: Binary string: I:\IA_CodeBase\main\ZGWin32LaunchHelper\Release\ZGWin32LaunchHelper.pdb source: ZGWin32LaunchHelper.exe.0.dr
Source: rb7-1-3.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: rb7-1-3.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: rb7-1-3.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: rb7-1-3.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: rb7-1-3.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_2_00C28100 GetVersionExW,GetDiskFreeSpaceW,LoadLibraryW,GetProcAddress,GetDiskFreeSpaceW,GetDiskFreeSpaceExA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 0_2_00C28100
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .rdata
PE file contains sections with non-standard names
Source: iawin64.dll.0.dr Static PE information: section name: .srdata
Source: win64_32.exe.0.dr Static PE information: section name: .srdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_3_012547FB push cs; iretd 0_3_012547FC
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_3_012547FB push cs; iretd 0_3_012547FC
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_3_012547FB push cs; iretd 0_3_012547FC
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_3_012547FB push cs; iretd 0_3_012547FC
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_3_012547FB push cs; iretd 0_3_012547FC
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_3_012547FB push cs; iretd 0_3_012547FC
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_3_012547FB push cs; iretd 0_3_012547FC
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_3_012547FB push cs; iretd 0_3_012547FC
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_3_012547FB push cs; iretd 0_3_012547FC
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_2_00C4D935 push ecx; ret 0_2_00C4D948
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_2_00C4BE86 push ecx; ret 0_2_00C4BE99
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Code function: 1_2_00468065 push ecx; ret 1_2_00468078
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Code function: 1_2_0047654C push edi; ret 1_2_0047654E
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Code function: 1_2_004765EA push edi; ret 1_2_004765EC
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Code function: 1_2_0047A704 push eax; ret 1_2_0047A722
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Code function: 1_2_00463BC8 push ecx; ret 1_2_00463BDB
Drops PE files
Source: C:\Users\user\Desktop\rb7-1-3.exe File created: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\resource\win64_32_x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\rb7-1-3.exe File created: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\resource\iawin64_x64.dll Jump to dropped file
Source: C:\Users\user\Desktop\rb7-1-3.exe File created: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\resource\remove.exe Jump to dropped file
Source: C:\Users\user\Desktop\rb7-1-3.exe File created: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\resource\win64_32.exe Jump to dropped file
Source: C:\Users\user\Desktop\rb7-1-3.exe File created: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\resource\invoker.exe Jump to dropped file
Source: C:\Users\user\Desktop\rb7-1-3.exe File created: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\resource\ZGWin32LaunchHelper.exe Jump to dropped file
Source: C:\Users\user\Desktop\rb7-1-3.exe File created: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\resource\iawin32.dll Jump to dropped file
Source: C:\Users\user\Desktop\rb7-1-3.exe File created: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\resource\iawin64.dll Jump to dropped file
Source: C:\Users\user\Desktop\rb7-1-3.exe File created: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Jump to dropped file
Source: C:\Users\user\Desktop\rb7-1-3.exe File created: C:\Users\user\AppData\Local\Temp\I1711691362\InstallerData\uninstallmanifest.txt Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_2_00C4D5C3 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00C4D5C3
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\rb7-1-3.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\resource\win64_32_x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\rb7-1-3.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\resource\iawin64_x64.dll Jump to dropped file
Source: C:\Users\user\Desktop\rb7-1-3.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\resource\remove.exe Jump to dropped file
Source: C:\Users\user\Desktop\rb7-1-3.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\resource\win64_32.exe Jump to dropped file
Source: C:\Users\user\Desktop\rb7-1-3.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\resource\invoker.exe Jump to dropped file
Source: C:\Users\user\Desktop\rb7-1-3.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\resource\ZGWin32LaunchHelper.exe Jump to dropped file
Source: C:\Users\user\Desktop\rb7-1-3.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\resource\iawin32.dll Jump to dropped file
Source: C:\Users\user\Desktop\rb7-1-3.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\resource\iawin64.dll Jump to dropped file
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\rb7-1-3.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\rb7-1-3.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_2_00C28300 LoadStringW,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,LoadStringW,GetCurrentDirectoryW,_wcscpy,_wcscpy,GetTempPathW,SetCurrentDirectoryW,CreateDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,GetCurrentDirectoryW,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,__time64,__swprintf,CreateDirectoryW,GetFullPathNameW,GetFullPathNameW,SetCurrentDirectoryW,SetCurrentDirectoryW,RemoveDirectoryW,GetCurrentDirectoryW,_wcscat,_wcscpy,_wcscpy,SetCurrentDirectoryW,RemoveDirectoryW,GetModuleFileNameW,__wsplitpath,SetCurrentDirectoryW,RemoveDirectoryW,SetCurrentDirectoryW,RemoveDirectoryW,__fread_nolock,_wcscpy,_wcscat,_wcscat,__swprintf,_wcscpy,SetCurrentDirectoryW,RemoveDirectoryW,SetCurrentDirectoryW,RemoveDirectoryW,_fseek,_fseek,SetCurrentDirectoryW,SetCurrentDirectoryW,RemoveDirectoryW,SetCurrentDirectoryW,RemoveDirectoryW,SetCurrentDirectoryW,RemoveDirectoryW,__aulldiv,GetModuleFileNameW,GetLastError,SetCurrentDirectoryW,SetCurrentDirectoryW,RemoveDirectoryW,SetCurrentDirectoryW,RemoveDirectoryW,SetCurrentDirectoryW,RemoveDirectoryW,GetKeyState,__swprintf,PathIsDirectoryW,_wcscpy,_wcscpy,__swprintf,FindFirstFileW,_wprintf,FindClose,__swprintf,GetConsoleWindow,ShowWindow,SetCurrentDirectoryW,RemoveDirectoryW,_wcscpy,_wcscat,SetCurrentDirectoryW,RemoveDirectoryW,LoadStringW,GetModuleFileNameW,_wcscpy,_wcscat,WideCharToMultiByte,WideCharToMultiByte,GetLastError,SetCurrentDirectoryW,RemoveDirectoryW,LoadStringW,_wcscpy,_wcscat,_wcscat,__swprintf,_wcscpy,SetCurrentDirectoryW,_memset,_memset,__wsplitpath,_wcscpy,_wcscat,_wcscpy,GetCommandLineW,_wcscpy,__swprintf,FindFirstFileW,_wprintf,_wcscpy,__swprintf,FindFirstFileW,_wprintf,FindClose,FindClose,__swprintf,_wcscpy,CreateProcessW,SetCurrentDirectoryW,RemoveDirectoryW, 0_2_00C28300
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_2_00C49722 _wcspbrk,__getdrive,FindFirstFileExW,_wcspbrk,__wfullpath_helper,_IsRootUNCName,GetDriveTypeW,_free,___loctotime64_t,_free,__sopen_s,__fstat64i32,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,GetLastError,__dosmaperr,FindClose, 0_2_00C49722
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_2_00C2B640 __swprintf,PathIsDirectoryW,_wcscpy,_wcscpy,__swprintf,FindFirstFileW,_wprintf,FindClose,__swprintf, 0_2_00C2B640
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_2_00C27980 _memset,_wcscpy,__swprintf,FindFirstFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00C27980
Source: IAClasses.zip.0.dr Binary or memory string: 4com/zerog/ia/designer/images/vapp/virtualMachine.png
Source: IAClasses.zip.0.dr Binary or memory string: com/zerog/ia/designer/images/vapp/virtualMachine.png
Source: rb7-1-3.exe Binary or memory string: bRqemu
Source: C:\Users\user\Desktop\rb7-1-3.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_2_00C585A2 EncodePointer,EncodePointer,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_00C585A2
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_2_00C585A2 EncodePointer,EncodePointer,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_00C585A2
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_2_00C28100 GetVersionExW,GetDiskFreeSpaceW,LoadLibraryW,GetProcAddress,GetDiskFreeSpaceW,GetDiskFreeSpaceExA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 0_2_00C28100
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_2_00C520EF GetProcessHeap, 0_2_00C520EF
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_2_00C51E62 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00C51E62
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_2_00C51E3F SetUnhandledExceptionFilter, 0_2_00C51E3F
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Code function: 1_2_00465E01 SetUnhandledExceptionFilter, 1_2_00465E01
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Code function: 1_2_00465E24 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00465E24
Source: Resource1.zip.0.dr Binary or memory string: "CA492","CP_PROGRAM_MGR","Program Manager ID","Corporate Actions","Corporate Actions","Identifier of the Program Manager. "," ","Equity"," "," "," "," "," "," "," "," ",4,0,"Integer"," "," ",20010924,"30"," "," "," "," "," "," ","Corporate Actions","N",
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_2_00C4E802 cpuid 0_2_00C4E802
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: GetWindowLongW,SetTimer,GetDlgItem,SendMessageW,GetDlgItem,SendMessageW,SetDlgItemTextW,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,LoadLibraryW,GetLocaleInfoW,DrawTextW,EndDialog,SHGetMalloc,_memset,LoadStringW,SHBrowseForFolderW,SHGetPathFromIDListW,_wcscpy,EndDialog,@_EH4_CallFilterFunc@8,KillTimer,_wcscpy,KiUserCallbackDispatcher, 0_2_00C2A4C0
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: IsProcessorFeaturePresent,__call_reportfault,___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson, 0_2_00C4D10C
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,GetLocaleInfoW, 0_2_00C5A81A
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 0_2_00C5AACA
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: EnumSystemLocalesW, 0_2_00C5AA8A
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 0_2_00C58A76
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW, 0_2_00C5ABCA
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 0_2_00C5AB47
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: GetLocaleInfoW, 0_2_00C58C74
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: EnumSystemLocalesW, 0_2_00C58C37
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: GetLocaleInfoW, 0_2_00C5ADBD
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00C5AEE5
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: _memset,_TranslateName,_TranslateName,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s, 0_2_00C5AFFA
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: GetLocaleInfoW,_GetPrimaryLen, 0_2_00C5AF92
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeW,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement, 1_2_0046409C
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 1_2_004741D7
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson, 1_2_0046842D
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free, 1_2_004737CA
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free, 1_2_00473BD3
Source: C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 1_2_00472E26
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_2_00C580A0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00C580A0
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_2_00C47759 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 0_2_00C47759
Source: C:\Users\user\Desktop\rb7-1-3.exe Code function: 0_2_00C28100 GetVersionExW,GetDiskFreeSpaceW,LoadLibraryW,GetProcAddress,GetDiskFreeSpaceW,GetDiskFreeSpaceExA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 0_2_00C28100
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1417375 Sample: rb7-1-3.exe Startdate: 29/03/2024 Architecture: WINDOWS Score: 9 5 rb7-1-3.exe 30 2->5         started        file3 10 C:\Users\user\AppData\...\win64_32_x64.exe, PE32+ 5->10 dropped 12 C:\Users\user\AppData\Local\...\win64_32.exe, PE32+ 5->12 dropped 14 C:\Users\user\AppData\Local\...\remove.exe, PE32 5->14 dropped 16 6 other files (none is malicious) 5->16 dropped 8 rb7-1-3.exe 1 5->8         started        process4
No contacted IP infos