Click to jump to signature section
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Avira: detected |
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | ReversingLabs: Detection: 65% |
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: | Binary string: C:\Users\Michael\Documents\Visual Studio 2005\Projects\stockChartUserUpdate2017\obj\Debug\stockChartUserUpdate.pdb source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe |
Source: Yara match | File source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe, type: SAMPLE |
Source: Yara match | File source: 0.0.SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe.1ff84540000.0.unpack, type: UNPACKEDPE |
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0 |
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G |
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | String found in binary or memory: http://itax.twca.com.tw/ecplus/ecplus_UCA_2018_sha1.crl0_ |
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | String found in binary or memory: http://itax.twca.com.tw/xmlrca/TaiCARootCA_2012.crl0 |
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C |
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | String found in binary or memory: http://ocsp2.globalsign.com/rootr606 |
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0 |
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe, 00000000.00000002.3256414378.000001FF86331000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://stock88168.500.com.tw//aps// |
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe, 00000000.00000002.3256414378.000001FF86331000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.stock5168.n9s.com//aps// |
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe, 00000000.00000002.3256414378.000001FF86331000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.stock88168.com.tw//aps// |
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | String found in binary or memory: http://www.stock88168.com.tw//aps//Ghttp://www.stock5168.n9s.com//aps//Ghttp://stock88168.500.com.tw |
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | String found in binary or memory: http://www.stock88168.com.tw//program//ShowMyPC1.exe |
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | String found in binary or memory: http://www.twca.com.tw/0 |
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | String found in binary or memory: https://www.globalsign.com/repository/0 |
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | String found in binary or memory: https://www.stock881688.com.tw/ |
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | String found in binary or memory: https://www.twca.com.tw/0L |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Code function: 0_2_00007FF848F10B5D | 0_2_00007FF848F10B5D |
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Static PE information: invalid certificate |
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe, 00000000.00000000.2004352849.000001FF8454A000.00000002.00000001.01000000.00000003.sdmp | Binary or memory string: OriginalFilenamestockChartUserUpdate.exe" vs SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe |
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Binary or memory string: OriginalFilenamestockChartUserUpdate.exe" vs SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe |
Source: classification engine | Classification label: mal60.troj.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Mutant created: NULL |
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01% |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | ReversingLabs: Detection: 65% |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Section loaded: mscoree.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Section loaded: vcruntime140_clr0400.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Section loaded: rsaenh.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Section loaded: dwrite.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Section loaded: textshaping.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Section loaded: textinputframework.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Section loaded: coreuicomponents.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Section loaded: coremessaging.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Section loaded: ntmarta.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: Window Recorder | Window detected: More than 3 window changes detected |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll | Jump to behavior |
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: | Binary string: C:\Users\Michael\Documents\Visual Studio 2005\Projects\stockChartUserUpdate2017\obj\Debug\stockChartUserUpdate.pdb source: SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Memory allocated: 1FF84880000 memory reserve | memory write watch | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Memory allocated: 1FF9E330000 memory reserve | memory write watch | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Memory allocated: page read and write | page guard | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10310.21629.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid | Jump to behavior |