Source: File-11F_385347.exe |
Virustotal: Detection: 8% |
Perma Link |
Source: File-11F_385347.exe, 00000000.00000002.1874544022.0000000001161000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: -----BEGIN PUBLIC KEY----- |
memstr_5626c899-d |
Source: File-11F_385347.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: File-11F_385347.exe |
Static PE information: certificate valid |
Source: unknown |
HTTPS traffic detected: 104.26.5.9:443 -> 192.168.2.4:49735 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49736 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49741 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.4:49756 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.4:49757 version: TLS 1.2 |
Source: File-11F_385347.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: Joe Sandbox View |
IP Address: 239.255.255.250 239.255.255.250 |
Source: Joe Sandbox View |
JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4 |
Source: Joe Sandbox View |
JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 173.222.162.32 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 173.222.162.32 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.45.182.93 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.45.182.93 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 208.111.136.0 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 208.111.136.0 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 172.64.149.23 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.18.38.233 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.18.38.233 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.18.38.233 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 172.64.149.23 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.18.38.233 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.204.76.112 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.204.76.112 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.204.76.112 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.204.76.112 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.204.76.112 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.204.76.112 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.204.76.112 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.204.76.112 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.204.76.112 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.204.76.112 |
Source: global traffic |
HTTP traffic detected: GET /9BEC55CF2367EE37/28571844681/59AFA49E14E6A1FD/71415242461?E560AB4B6913F3951714152424 HTTP/1.1Host: contentworldinc.comUser-Agent: NSIS_InetLoad (Mozilla)Accept: */* |
Source: global traffic |
HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=lKGzUXrWxPethMt&MD=L1MXdGvK HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com |
Source: global traffic |
HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=lKGzUXrWxPethMt&MD=L1MXdGvK HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com |
Source: global traffic |
HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9 |
Source: global traffic |
HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9 |
Source: global traffic |
HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9 |
Source: global traffic |
HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9 |
Source: global traffic |
HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGNHIr7EGIjBbcI5gdfmKwCdV__yDFi29L_2EfWEBQ0qVQQiZdNjzBeDdBnmbFvPJWbk3gUOEyDUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-17; NID=513=nnNvhDpc2wNur5rZ2GPGFYYW98DsoxA86Ww61SxrQhbN75bLgvGv66xto5kBou_BZhKvAQUkIJHuNQWnDyPOWmD2cDFR-PV6p_69ua1MuHp3KdSQzVdxG3lFb7byaUXTatUSMGCpLe3XoQ4DJntYUwZfNBnE2izQ4aeaz0zlO2U |
Source: global traffic |
HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGNLIr7EGIjCTne0bwf48RoRhZuPH4pFklPwwJFOSRYaI2xBpyQCasbMRMkTzYh04Cbc12bYZbG0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-17; NID=513=l_QNb-B5hpXOC8bBQtAnRM5M-JbSLPNITwf3h_zzOX-4tA7Uizy-BaeugZBG7UohQDR3Tb4z0cNNuel3fvNX5P-fJCml_L9vq2TTwKMYH4Rrj4_7jsYQ6-e9F0ZevySaj64gEML3uSW9TC_9wzv4XbwIZ6hlgXjNPVLsnuorypY |
Source: global traffic |
HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com |
Source: global traffic |
DNS traffic detected: DNS query: contentworldinc.com |
Source: global traffic |
DNS traffic detected: DNS query: www.google.com |
Source: File-11F_385347.exe |
String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04 |
Source: File-11F_385347.exe |
String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0 |
Source: File-11F_385347.exe |
String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0 |
Source: File-11F_385347.exe |
String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t |
Source: File-11F_385347.exe |
String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0# |
Source: File-11F_385347.exe |
String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0# |
Source: File-11F_385347.exe |
String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0# |
Source: File-11F_385347.exe |
String found in binary or memory: http://ocsp.comodoca.com0 |
Source: File-11F_385347.exe |
String found in binary or memory: http://ocsp.sectigo.com0 |
Source: File-11F_385347.exe |
String found in binary or memory: http://ocsp.sectigo.com0M |
Source: MPC-HC.1.9.13.x86.exe.0.dr |
String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU |
Source: File-11F_385347.exe, 00000000.00000003.1873509339.0000000001507000.00000004.00000020.00020000.00000000.sdmp, File-11F_385347.exe, 00000000.00000002.1875482614.000000000152C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://contentworldinc.com/9BEC55CF2367EE37/28571844681/59AFA49E14E6A1FD/71415242461?E560AB4B6913F3 |
Source: File-11F_385347.exe |
String found in binary or memory: https://curl.se/docs/alt-svc.html |
Source: File-11F_385347.exe |
String found in binary or memory: https://curl.se/docs/hsts.html |
Source: File-11F_385347.exe |
String found in binary or memory: https://curl.se/docs/http-cookies.html |
Source: File-11F_385347.exe |
String found in binary or memory: https://sectigo.com/CPS0 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49741 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49741 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49748 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49746 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49745 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49736 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49736 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49735 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49753 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49757 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49756 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49757 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49675 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49754 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49753 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49749 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49747 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49749 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49748 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49754 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49735 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49747 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49746 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49756 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49745 |
Source: unknown |
HTTPS traffic detected: 104.26.5.9:443 -> 192.168.2.4:49735 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49736 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49741 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.4:49756 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.4:49757 version: TLS 1.2 |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
Code function: 0_2_00AB1380 |
0_2_00AB1380 |
Source: File-11F_385347.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: classification engine |
Classification label: sus36.winEXE@15/3@3/5 |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
File created: C:\Users\user\AppData\Local\MPC-HC |
Jump to behavior |
Source: File-11F_385347.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: File-11F_385347.exe |
Virustotal: Detection: 8% |
Source: File-11F_385347.exe |
String found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExW\/AddDllDirectoryh1h2h3%10s %512s %u %10s %512s %u "%64[^"]" %u %urt%s %s %u %s %s %u "%d%02d%02d %02d:%02d:%02d" %u %d |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
File read: C:\Users\user\Desktop\File-11F_385347.exe |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\File-11F_385347.exe "C:\Users\user\Desktop\File-11F_385347.exe" |
|
Source: unknown |
Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:/// |
|
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1724,i,16714932929559567655,4968093527130383925,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 |
|
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1724,i,16714932929559567655,4968093527130383925,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
Section loaded: explorerframe.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
Section loaded: textinputframework.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
Section loaded: coreuicomponents.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
Section loaded: textshaping.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
Section loaded: secur32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
Section loaded: schannel.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
Section loaded: mskeyprotect.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
Section loaded: ntasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
Section loaded: ncrypt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
Section loaded: ncryptsslp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32 |
Jump to behavior |
Source: Window Recorder |
Window detected: More than 3 window changes detected |
Source: File-11F_385347.exe |
Static PE information: certificate valid |
Source: File-11F_385347.exe |
Static PE information: Virtual size of .text is bigger than: 0x100000 |
Source: File-11F_385347.exe |
Static file information: File size 23731296 > 1048576 |
Source: File-11F_385347.exe |
Static PE information: Raw size of .text is bigger than: 0x100000 < 0x6afe00 |
Source: File-11F_385347.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: File-11F_385347.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: File-11F_385347.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: File-11F_385347.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: File-11F_385347.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: File-11F_385347.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: File-11F_385347.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: File-11F_385347.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: File-11F_385347.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: File-11F_385347.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: File-11F_385347.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: File-11F_385347.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: File-11F_385347.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
Code function: 0_2_010CB853 push ecx; ret |
0_2_010CB866 |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
File created: C:\Users\user\AppData\Local\MPC-HC\MPC-HC.1.9.13.x86.exe |
Jump to dropped file |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
Dropped PE file which has not been started: C:\Users\user\AppData\Local\MPC-HC\MPC-HC.1.9.13.x86.exe |
Jump to dropped file |
Source: File-11F_385347.exe, 00000000.00000003.1699127735.000000000151E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Microsoft Hyper-V VHDPMEM BTT Filter |
Source: File-11F_385347.exe, 00000000.00000003.1699127735.000000000151E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Microsoft Hyper-V Storage Accelerator |
Source: File-11F_385347.exe, 00000000.00000003.1699127735.000000000151E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Microsoft Hyper-V Generation Counter |
Source: File-11F_385347.exe, 00000000.00000003.1699127735.000000000151E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Microsoft Hyper-V Virtual PCI Bus |
Source: File-11F_385347.exe, 00000000.00000003.1699127735.000000000151E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Microsoft Hyper-V Guest Infrastructure Driver |
Source: File-11F_385347.exe, 00000000.00000003.1699127735.000000000151E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: VMware VMCI Bus Driver |
Source: File-11F_385347.exe, 00000000.00000003.1708572666.000000000152C000.00000004.00000020.00020000.00000000.sdmp, File-11F_385347.exe, 00000000.00000003.1708752786.000000000152D000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
Process information queried: ProcessInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
Code function: 0_2_011223FD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_011223FD |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
Code function: 0_2_0113553C mov eax, dword ptr fs:[00000030h] |
0_2_0113553C |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
Code function: 0_2_01126779 mov ecx, dword ptr fs:[00000030h] |
0_2_01126779 |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
Code function: 0_2_011354F8 mov eax, dword ptr fs:[00000030h] |
0_2_011354F8 |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
Process token adjusted: Debug |
Jump to behavior |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
Process token adjusted: Debug |
Jump to behavior |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
Code function: 0_2_010CB057 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_010CB057 |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
Code function: 0_2_011223FD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_011223FD |
Source: C:\Users\user\Desktop\File-11F_385347.exe |
Code function: 0_2_010CC06B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, |
0_2_010CC06B |