Source: ENDIDEV.exe |
ReversingLabs: Detection: 50% |
Source: ENDIDEV.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
Source: |
Binary string: \??\C:\Windows\dll\mscorlib.pdb source: ENDIDEV.exe, 00000000.00000003.1697566514.00000000006F0000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: ENDIDEV.exe, 00000000.00000003.1740565281.00000000006B6000.00000004.00000020.00020000.00000000.sdmp, ENDIDEV.exe, 00000000.00000002.1741300902.00000000006B6000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: ENDEV.pdb source: ENDIDEV.exe, 00000000.00000002.1742459576.0000000003575000.00000004.00000800.00020000.00000000.sdmp, ENDIDEV.exe, 00000000.00000002.1741733788.0000000002500000.00000004.08000000.00040000.00000000.sdmp, ENDIDEV.exe, 00000000.00000003.1694021851.0000000000689000.00000004.00000020.00020000.00000000.sdmp, ENDIDEV.exe, 00000000.00000002.1742786574.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, ENDIDEV.exe, 00000000.00000002.1741390309.00000000020D0000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: _.pdb source: ENDIDEV.exe, 00000000.00000002.1742459576.0000000003575000.00000004.00000800.00020000.00000000.sdmp, ENDIDEV.exe, 00000000.00000003.1696604578.00000000006A0000.00000004.00000020.00020000.00000000.sdmp, ENDIDEV.exe, 00000000.00000002.1741733788.0000000002500000.00000004.08000000.00040000.00000000.sdmp, ENDIDEV.exe, 00000000.00000003.1694021851.0000000000689000.00000004.00000020.00020000.00000000.sdmp, ENDIDEV.exe, 00000000.00000002.1741390309.00000000020D0000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\dll\mscorlib.pdb{b source: ENDIDEV.exe, 00000000.00000003.1697566514.00000000006F0000.00000004.00000020.00020000.00000000.sdmp |
Source: ENDIDEV.exe, type: SAMPLE |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 0.0.ENDIDEV.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 0.2.ENDIDEV.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Code function: 0_2_00408C60 |
0_2_00408C60 |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Code function: 0_2_0040DC11 |
0_2_0040DC11 |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Code function: 0_2_00407C3F |
0_2_00407C3F |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Code function: 0_2_00418CCC |
0_2_00418CCC |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Code function: 0_2_00406CA0 |
0_2_00406CA0 |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Code function: 0_2_004028B0 |
0_2_004028B0 |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Code function: 0_2_0041A4BE |
0_2_0041A4BE |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Code function: 0_2_00408C60 |
0_2_00408C60 |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Code function: 0_2_00418244 |
0_2_00418244 |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Code function: 0_2_00401650 |
0_2_00401650 |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Code function: 0_2_00402F20 |
0_2_00402F20 |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Code function: 0_2_004193C4 |
0_2_004193C4 |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Code function: 0_2_00418788 |
0_2_00418788 |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Code function: 0_2_00402F89 |
0_2_00402F89 |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Code function: 0_2_00402B90 |
0_2_00402B90 |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Code function: 0_2_004073A0 |
0_2_004073A0 |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Code function: 0_2_023614B5 |
0_2_023614B5 |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Code function: 0_2_02361493 |
0_2_02361493 |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Code function: 0_2_02360DA0 |
0_2_02360DA0 |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Code function: 0_2_02360D91 |
0_2_02360D91 |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Code function: 0_2_05590470 |
0_2_05590470 |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Code function: 0_2_05590480 |
0_2_05590480 |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Code function: String function: 0040E1D8 appears 43 times |
|
Source: ENDIDEV.exe, 00000000.00000003.1693799935.00000000006D8000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameMsMpLics.dllj% vs ENDIDEV.exe |
Source: ENDIDEV.exe, 00000000.00000002.1742459576.0000000003575000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameENDEV.exe" vs ENDIDEV.exe |
Source: ENDIDEV.exe, 00000000.00000002.1742459576.0000000003575000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilename_.dll4 vs ENDIDEV.exe |
Source: ENDIDEV.exe, 00000000.00000003.1693601906.00000000006D3000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameMsMpLics.dllj% vs ENDIDEV.exe |
Source: ENDIDEV.exe, 00000000.00000003.1696604578.00000000006A0000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilename_.dll4 vs ENDIDEV.exe |
Source: ENDIDEV.exe, 00000000.00000002.1741733788.0000000002500000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameENDEV.exe" vs ENDIDEV.exe |
Source: ENDIDEV.exe, 00000000.00000002.1741733788.0000000002500000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilename_.dll4 vs ENDIDEV.exe |
Source: ENDIDEV.exe, 00000000.00000002.1740809282.0000000000432000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameENDEV.exe" vs ENDIDEV.exe |
Source: ENDIDEV.exe, 00000000.00000003.1694021851.0000000000689000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameENDEV.exe" vs ENDIDEV.exe |
Source: ENDIDEV.exe, 00000000.00000003.1694021851.0000000000689000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilename_.dll4 vs ENDIDEV.exe |
Source: ENDIDEV.exe, 00000000.00000000.1692701756.0000000000426000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameENDEV.exe" vs ENDIDEV.exe |
Source: ENDIDEV.exe, 00000000.00000002.1742786574.00000000049F0000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameENDEV.exe" vs ENDIDEV.exe |
Source: ENDIDEV.exe, 00000000.00000002.1741390309.00000000020D0000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameENDEV.exe" vs ENDIDEV.exe |
Source: ENDIDEV.exe, 00000000.00000002.1741390309.00000000020D0000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilename_.dll4 vs ENDIDEV.exe |
Source: ENDIDEV.exe, 00000000.00000002.1741812100.00000000025E2000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameclrjit.dllT vs ENDIDEV.exe |
Source: ENDIDEV.exe, 00000000.00000002.1741812100.00000000025E2000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilename vs ENDIDEV.exe |
Source: ENDIDEV.exe, 00000000.00000002.1741812100.00000000025E2000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: $kq,\\StringFileInfo\\040904B0\\OriginalFilename vs ENDIDEV.exe |
Source: ENDIDEV.exe |
Binary or memory string: OriginalFilenameENDEV.exe" vs ENDIDEV.exe |
Source: ENDIDEV.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
Source: ENDIDEV.exe, type: SAMPLE |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 0.0.ENDIDEV.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 0.2.ENDIDEV.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 0.2.ENDIDEV.exe.3576478.5.raw.unpack, gBMthepoZSL1ZVKpeA.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 0.2.ENDIDEV.exe.3576478.5.raw.unpack, gBMthepoZSL1ZVKpeA.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 0.2.ENDIDEV.exe.3576478.5.raw.unpack, gBMthepoZSL1ZVKpeA.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 0.2.ENDIDEV.exe.2500f08.3.raw.unpack, gBMthepoZSL1ZVKpeA.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 0.2.ENDIDEV.exe.2500f08.3.raw.unpack, gBMthepoZSL1ZVKpeA.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 0.2.ENDIDEV.exe.2500f08.3.raw.unpack, gBMthepoZSL1ZVKpeA.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 0.2.ENDIDEV.exe.49f0000.8.raw.unpack, gBMthepoZSL1ZVKpeA.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 0.2.ENDIDEV.exe.49f0000.8.raw.unpack, gBMthepoZSL1ZVKpeA.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 0.2.ENDIDEV.exe.49f0000.8.raw.unpack, gBMthepoZSL1ZVKpeA.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 0.3.ENDIDEV.exe.689b38.0.raw.unpack, gBMthepoZSL1ZVKpeA.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 0.3.ENDIDEV.exe.689b38.0.raw.unpack, gBMthepoZSL1ZVKpeA.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 0.3.ENDIDEV.exe.689b38.0.raw.unpack, gBMthepoZSL1ZVKpeA.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: classification engine |
Classification label: mal80.troj.evad.winEXE@1/1@0/0 |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, |
0_2_004019F0 |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, |
0_2_004019F0 |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ENDIDEV.exe.log |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Mutant created: NULL |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Command line argument: 08A |
0_2_00413780 |
Source: ENDIDEV.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: ENDIDEV.exe |
ReversingLabs: Detection: 50% |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Section loaded: textshaping.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Section loaded: textinputframework.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Section loaded: coreuicomponents.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 |
Jump to behavior |
Source: ENDIDEV.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: \??\C:\Windows\dll\mscorlib.pdb source: ENDIDEV.exe, 00000000.00000003.1697566514.00000000006F0000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: ENDIDEV.exe, 00000000.00000003.1740565281.00000000006B6000.00000004.00000020.00020000.00000000.sdmp, ENDIDEV.exe, 00000000.00000002.1741300902.00000000006B6000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: ENDEV.pdb source: ENDIDEV.exe, 00000000.00000002.1742459576.0000000003575000.00000004.00000800.00020000.00000000.sdmp, ENDIDEV.exe, 00000000.00000002.1741733788.0000000002500000.00000004.08000000.00040000.00000000.sdmp, ENDIDEV.exe, 00000000.00000003.1694021851.0000000000689000.00000004.00000020.00020000.00000000.sdmp, ENDIDEV.exe, 00000000.00000002.1742786574.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, ENDIDEV.exe, 00000000.00000002.1741390309.00000000020D0000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: _.pdb source: ENDIDEV.exe, 00000000.00000002.1742459576.0000000003575000.00000004.00000800.00020000.00000000.sdmp, ENDIDEV.exe, 00000000.00000003.1696604578.00000000006A0000.00000004.00000020.00020000.00000000.sdmp, ENDIDEV.exe, 00000000.00000002.1741733788.0000000002500000.00000004.08000000.00040000.00000000.sdmp, ENDIDEV.exe, 00000000.00000003.1694021851.0000000000689000.00000004.00000020.00020000.00000000.sdmp, ENDIDEV.exe, 00000000.00000002.1741390309.00000000020D0000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\dll\mscorlib.pdb{b source: ENDIDEV.exe, 00000000.00000003.1697566514.00000000006F0000.00000004.00000020.00020000.00000000.sdmp |
Source: 0.2.ENDIDEV.exe.3576478.5.raw.unpack, gBMthepoZSL1ZVKpeA.cs |
.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)}) |
Source: 0.2.ENDIDEV.exe.2500f08.3.raw.unpack, gBMthepoZSL1ZVKpeA.cs |
.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)}) |
Source: 0.2.ENDIDEV.exe.49f0000.8.raw.unpack, gBMthepoZSL1ZVKpeA.cs |
.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)}) |
Source: 0.3.ENDIDEV.exe.689b38.0.raw.unpack, gBMthepoZSL1ZVKpeA.cs |
.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)}) |
Source: 0.2.ENDIDEV.exe.2110f8e.2.raw.unpack, gBMthepoZSL1ZVKpeA.cs |
.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)}) |
Source: 0.2.ENDIDEV.exe.358d590.7.raw.unpack, gBMthepoZSL1ZVKpeA.cs |
.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)}) |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, |
0_2_004019F0 |
Source: ENDIDEV.exe |
Static PE information: real checksum: 0x23bfb should be: 0x37016 |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Code function: 0_2_0040E21D push ecx; ret |
0_2_0040E230 |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Code function: 0_2_0040BB97 push dword ptr [ecx-75h]; iretd |
0_2_0040BBA3 |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Code function: 0_2_023644EB push edi; iretd |
0_2_023644EE |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Code function: 0_2_023650DF push esp; ret |
0_2_023650F1 |
Source: 0.2.ENDIDEV.exe.3576478.5.raw.unpack, gBMthepoZSL1ZVKpeA.cs |
High entropy of concatenated method names: 'reTlcDMFua', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'uUcoG0Tc8', 'N15X2cY3J', 'NWNp5BRFs', 'Q59l6jZOT' |
Source: 0.2.ENDIDEV.exe.2500f08.3.raw.unpack, gBMthepoZSL1ZVKpeA.cs |
High entropy of concatenated method names: 'reTlcDMFua', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'uUcoG0Tc8', 'N15X2cY3J', 'NWNp5BRFs', 'Q59l6jZOT' |
Source: 0.2.ENDIDEV.exe.49f0000.8.raw.unpack, gBMthepoZSL1ZVKpeA.cs |
High entropy of concatenated method names: 'reTlcDMFua', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'uUcoG0Tc8', 'N15X2cY3J', 'NWNp5BRFs', 'Q59l6jZOT' |
Source: 0.3.ENDIDEV.exe.689b38.0.raw.unpack, gBMthepoZSL1ZVKpeA.cs |
High entropy of concatenated method names: 'reTlcDMFua', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'uUcoG0Tc8', 'N15X2cY3J', 'NWNp5BRFs', 'Q59l6jZOT' |
Source: 0.2.ENDIDEV.exe.2110f8e.2.raw.unpack, gBMthepoZSL1ZVKpeA.cs |
High entropy of concatenated method names: 'reTlcDMFua', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'uUcoG0Tc8', 'N15X2cY3J', 'NWNp5BRFs', 'Q59l6jZOT' |
Source: 0.2.ENDIDEV.exe.358d590.7.raw.unpack, gBMthepoZSL1ZVKpeA.cs |
High entropy of concatenated method names: 'reTlcDMFua', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'uUcoG0Tc8', 'N15X2cY3J', 'NWNp5BRFs', 'Q59l6jZOT' |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Memory allocated: 2270000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Memory allocated: 2570000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Memory allocated: 22C0000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, |
0_2_004019F0 |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep |
Source: C:\Users\user\Desktop\ENDIDEV.exe TID: 7324 |
Thread sleep time: -922337203685477s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Code function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_0040CE09 |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, |
0_2_004019F0 |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, |
0_2_004019F0 |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Code function: 0_2_0040ADB0 GetProcessHeap,HeapFree, |
0_2_0040ADB0 |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Process token adjusted: Debug |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Code function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_0040CE09 |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Code function: 0_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_0040E61C |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Code function: 0_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00416F6A |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Code function: 0_2_004123F1 SetUnhandledExceptionFilter, |
0_2_004123F1 |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Memory allocated: page read and write | page guard |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Code function: GetLocaleInfoA, |
0_2_00417A20 |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Code function: 0_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, |
0_2_00412A15 |
Source: C:\Users\user\Desktop\ENDIDEV.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |
Source: Yara match |
File source: 0.2.ENDIDEV.exe.49f0000.8.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.ENDIDEV.exe.358d590.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.ENDIDEV.exe.2110f8e.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.ENDIDEV.exe.49f0000.8.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.ENDIDEV.exe.2110086.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.ENDIDEV.exe.2110f8e.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.ENDIDEV.exe.2110086.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.ENDIDEV.exe.358d590.7.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.ENDIDEV.exe.3576478.5.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.ENDIDEV.exe.2500000.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.ENDIDEV.exe.3575570.6.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.ENDIDEV.exe.3575570.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.ENDIDEV.exe.2500000.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.3.ENDIDEV.exe.689b38.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.ENDIDEV.exe.2500f08.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.ENDIDEV.exe.3576478.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.ENDIDEV.exe.2500f08.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.3.ENDIDEV.exe.689b38.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.1742459576.0000000003575000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.1741733788.0000000002500000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.1694021851.0000000000689000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.1742786574.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.1741390309.00000000020D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: ENDIDEV.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.ENDIDEV.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.ENDIDEV.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.ENDIDEV.exe.49f0000.8.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.ENDIDEV.exe.358d590.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.ENDIDEV.exe.2110f8e.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.ENDIDEV.exe.49f0000.8.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.ENDIDEV.exe.2110086.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.ENDIDEV.exe.2110f8e.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.ENDIDEV.exe.2110086.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.ENDIDEV.exe.358d590.7.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.ENDIDEV.exe.3576478.5.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.ENDIDEV.exe.2500000.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.ENDIDEV.exe.3575570.6.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.ENDIDEV.exe.3575570.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.ENDIDEV.exe.2500000.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.3.ENDIDEV.exe.689b38.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.ENDIDEV.exe.2500f08.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.ENDIDEV.exe.3576478.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.ENDIDEV.exe.2500f08.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.3.ENDIDEV.exe.689b38.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.1742459576.0000000003575000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.1741733788.0000000002500000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.1694021851.0000000000689000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.1742786574.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.1741390309.00000000020D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: ENDIDEV.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.ENDIDEV.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.ENDIDEV.exe.400000.0.unpack, type: UNPACKEDPE |